Bugbear virus and LEM lists

From: Dan Knight <listmom_at_email.domain.hidden>
Date: Mon, 10 Mar 2003 06:39:19 -0500

A former member of the PCI PowerMacs list was alerted to the presence of a virus on a message purportedly sent from pci-powermacs. He emailed the following:

>This morning I received an email (apparantly) from
>Our virus scanning software, carefully updated by our professional
>paranoids, alerted me to the fact that it contained a bugbear a virus in
>an attachment (filename cotter.dat.scr)
>The email message itself seems real enough, until you look at the dates;
>look at the bottom of this mail.

A little research on the bugbear virus turns up the following:

  1. It installs itself in the Startup folder of any version of Windows later than 3.1.
  2. It attempts to use any SMTP (email sending) resources on the infected computer to create mass mailings.
  3. It attempts to install itself on other computers on the network.
  4. It attempts to create a backdoor on the infected computer that the worm's creator could use to access the computer in the future.
  5. It will send emails from "safe looking" bogus email addresses (such as pci-powermacs_at_email.domain.hidden instead of @maclaunch.com) to addresses it finds. It also seems to quote part of an email from that user ID to make the message look more authentic.

You may be tipped off by a strange date, an unusual return address, or your virus checker going off (Windows users should always run virus checking -- users with other operating systems cannot be infected by this and most other viruses).

These messages are not from our lists or our server; the bugbear worm can only be propagated by Windows computers. However, at first glance they may appear to come from us, so Windows users should be careful when checking list messages.

And we can all wonder when Microsoft is going to get serious about secure computing. The level of insecurity that gave birth to tens of thousands of worms and viruses in simply unacceptable, yet over 90% of all computer users take it in stride as something normal they have to deal with.

Thank goodness we only use Macs for production and *nix servers for our site and mailing lists.

Dan Knight, president, Cobweb Publishing, Inc.
 <http://cobwebpublishing.com> <http://lowendmac.com>
 <http://digital-views.com> <http://digigraphica.com>
 <http://lowendpc.com>          <http://reformed.net>

In a world without walls or fences, who needs windows or gates?

LisaList is sponsored by <http://lowendmac.com/> and...

Shop buy.com and save. <http://lowendmac.com/ad/buy.com.html>

      Support Low End Mac <http://lowendmac.com/lists/support.html>

LisaList info:          <http://lowendmac.com/lists/lisa.html>
  --> AOL users, remove "mailto:"
Send list messages to:  <mailto:lisalist_at_email.domain.hidden>
To unsubscribe, email:  <mailto:lisalist-off_at_email.domain.hidden>
For digest mode, email: <mailto:lisalist-digest_at_email.domain.hidden>
Subscription questions: <mailto:listmom_at_email.domain.hidden>
Archive: <http://www.mail-archive.com/lisalist%40mail.maclaunch.com/>

Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
Received on 2003-03-10 03:51:30

This archive was generated by hypermail 2.4.0 : 2020-01-13 12:15:19 EST