This infection attacks a system through unpatched versions of Internet Explorer 5.01 and IE 5.5 installed on any Windows operating system. Browsers running on Macintosh, Linux, and UNIX systems are not vulnerable to this threat. Risk level -- high
This is a widely distributed worm with a dangerous payload. Despite the fact that most systems should be fully protected by a patch or antivirus software, Bugbear has quickly surpassed Klez, SirCam, and all other recent malicious attacks on MessageLabs' list of most commonly encountered viruses and worms. A lot of copies of this worm are floating around, so your users are likely to encounter it. Once it installs itself on one PC, it can spread through network connections as well as email messages. Mitigating factors
If you have applied the latest IE patches to your systems or are using IE 6, this attack won't succeed. Also, any recently updated antivirus software should block this attack. Fix
To block the attack, apply the Microsoft patch. The initial report on this vulnerability is Microsoft Security Bulletin MS01-020, which was originally posted on March 29, 2001. But the patch in this bulletin has been superseded by the IE 5.01 and IE 5.5 patches listed in MS01-027, so you should look at both bulletins and evaluate your options before applying a patch. Cumulative patches have also addressed this threat. Your other option is to upgrade to IE 6 or above. To fix an infected system, use an antivirus program to remove the virus and then apply the patch. Details
When the attachment is opened, Bugbear determines the operating system version and creates copies of various malicious programs in different directories, depending on the OS. Antivirus software should remove any malicious files, but Bugbear will also create other files that must be removed manually. These are listed in detailed reports on this infection, such as the one found on Symantec's site. The Symantec report on this infection also lists about 100 programs (such as antivirus applications and firewalls) that the worm searches for and attempts to disable every few seconds. Listing A shows possible subject headers for the email attack. As you can see, a number of these subject lines look innocent enough to trick users into opening the email. Further temptation comes from the fact that the message will appear to come from a known source because the worm spreads using addresses found on user systems in the current inbox or taken from a number of database files that commonly contain email addresses. The Mitre identifier for this MIME vulnerability is CVE 2001-0154, and the BugTraq identifier is 20010330, "Incorrect MIME header can cause IE to execute email attachment." You can find more about this infection in this ZDNet news special and by reading some additional commentary at Geek.com. Final word
The lesson from Bugbear is clear. We can blame Microsoft for poor security -- and it often deserves criticism. But IT professionals must take a large share of the blame if this worm infects systems they are responsible for. Microsoft was on top of this vulnerability 18 months ago, and anyone who consistently neglects to maintain critical patches on their systems should reevaluate their procedures.
Have your say instantly in the
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
