| Port No | 137 |
| Service Name | BUGBEAR |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This polymorphic file-infecting variant of WORM_BUGBEAR.A contains all the functionalities of the earlier malware, including certain backdoor capabilities.
This worm opens port 1080 to allow remote users to connect to and manipulate affected systems. It also terminates certain antivirus programs, sends a lot of information to the network printer, and creates a mutex object named w32shamur. This worm uses its own SMTP engine to send email to addresses it gathers from infected machines. Its email messages contain an exploit that allows attachments to automatically execute when the messages are viewed or previewed in Microsoft Outlook and Outlook Express. The vulnerability exploit affects systems with unpatched Internet Explorer 5.01 and 5.5. More information on the exploit is available on the Microsoft Security Bulletin article Incorrect MIME Header Can Cause IE to Execute E-mail Attachment. This worm sends email with the following details: Subject: • Get 8 FREE issues - no risk! • Hi! • Your News Alert • $150 FREE Bonus! • Re: • Your Gift • New bonus in your cash account • Tools For Your Online Business • Daily Email Reminder • News • free shipping! • its easy • Warning! • SCAM alert!!! • Sponsors needed • new reading • CALL FOR INFORMATION! • 25 merchants and rising • Cows • My eBay ads • empty account • Market Update Report • click on this! • fantastic • wow! |
| Reference Link | BUGBEAR |
| Attack | Solutions: This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs*, locate the malware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. *NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.