Notices
NSC-030606: New strain of Worm "bugbear.b"
Department Network/Security Contacts:
There is a new worm out in the wild called "Bugbear.b" which is particularly nasty. This worm contains both a mass-mailing engine and a network share propagator to spread, a keystroke logger program, and a remote access trojan program. It infects files in a "polymorphic" manner, and also terminates security software including firewalls and anti-virus. Infected machines are a particular security risk, as files on the machine as well as all account passwords used from the machine are available via the remote access trojan and keylogger.
Reports indicate that infected machines can be located by scanning for systems listening on port 1080 (i.e., have communication port 1080 open). This is the port that the remote access trojan program operates on. The IT Security Office will be scanning the campus network to look for infected machines.
Details about the worm are available, at Symantec: http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html at McAfee: http://vil.nai.com/vil/content/v_100358.htm
Current information suggests that infected machines must be reformatted and rebuilt from scratch to completely eradicate all traces of the worm.
Please advise users to initiate a manual "LiveUpdate" of their Norton Anti-Virus software to obtain current virus definition files. (Double click the yellow shield in the lower right corner of your Windows desktop, and then click on "LiveUpdate".)
Remind users that they must NEVER open e-mail attachments that they are not expecting. This virus can spread through file shares, so machines can also become infected without the user "doing" anything.
If you have questions, or believe your system may be infected, please contact the ITS Help Desk at 384-HELP.