RE: Possible new Bugbear

["James C Slora Jr" <Jim.Slora () phra com>]

It's a very typical Bugbear message. Bugbear does not use a fixed set of
messages. It often takes portions of email found on the infected computer
and uses them as the delivery message. It also grabs sender and recipient
addresses from the same pile of email and takes the attachment name from
files on the infected computer. It often matches subjects and senders or
recipients, so sometimes its delivery appears to be a perfectly legitimate
message.

It is old, but still very much in circulation.

Since this was Bugbear.b.dam it was damaged and incapable of executing as
Bugbear.b.

But virus detection is generally "first and out", so detection of Bugbear
does not preclude additional infections within the file. And executing a
viral file can in some cases cause actions on the computer even if
anti-virus detects an infection after execution. In other words, the test
machine _might_ now be infected with something else that is not yet detected
by your anti-virus. Probably not, but maybe.

Saving the attachment to a file is usually the only action required to get a
virus scan. You can usually force a manual scan of the saved file, too, so
you can see the scan run.

If you want to fully analyze a strange attachment to learn exactly what it
is and discover any secondary infections that might exist in it, that is a
whole skill in itself. If not, it is best to not run (open) it at all.

Bugbear seems to pick a "favorite" attachment name from the infected
computer. You may receive more Bugbear messages with completely different
contents but with the same attachment name if they come from the same
source.


> -----Original Message-----
> From: Joe Miller [mailto:joseph-p-miller () cox net] 
> Sent: Wednesday, February 04, 2004 12:52
> To: Joe Miller; incidents () securityfocus com; 
> aztechlist () yahoogroups com; kmiller210 () cox net; 
> bruce.burton () shawgrp com; joe.miller () shawgrp com
> Subject: Re: Possible new Bugbear
>
> Sorry folks, it's not a new variant but it appears as though 
> it is a new attempt at spreading this ancient worm.
>
>
> ============================================================
> From: Joe Miller <joseph-p-miller () cox net>
> Date: 2004/02/04 Wed PM 12:34:10 EST
> To: incidents () securityfocus com, aztechlist () yahoogroups com, 
> kmiller210 () cox net, bruce.burton () shawgrp com, joe.miller () shawgrp com
> Subject: Possible new Bugbear
>
> All,
> Please be aware of emails with this Subject and message:
>
> From:   "Southwest Airlines"
> Subject:   Ticketless Travel Passenger Itinerary
>
> ************ !!! IMPORTANT NOTICE !!! ************
> ** BRING A COPY OF THIS ITINERARY WITH YOU TO   **
> ** THE AIRPORT FOR FLIGHT CHECKIN. 
>
> Download Attachment: addresses.xls.exe 
>
>
> I received this email that I thought was in error from 
> Southwest Airlines.
>
> I've never heard of BugBear coming from spoofed airlines or 
> COX (@cox.com) email addresses so please bare with me:
> It was a flight itinerary so I clicked Reply to inform them 
> that I was th wrong person and noticed something strange 
> about the reply address "Southwest 
> Airlines"(no-reply () updates cox com) <AND> there was an 
> attachment with two file extensions called 
> addresses.xls[1].exe Knowing that it was a virus I opened it 
> with a PC that I could take off the network if it was MiMail, 
> Bugbear or any other worm.  McAfee detected it as 
> W32/Bugbear.b.dam and was not able to clean, delete nor move the file.
>
> Is this a new variant of Bugbear?
>
> Good day,
> Joe Miller
> ============================================================
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------