| Port No | 36794 |
| Service Name | Bugbear |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This is an alert regarding W32.Bugbear@mm, a mass-mailing worm that began yesterday. This worm affects machines running 95, 98, ME, NT, 2000, and XP. The worm arrives via an email containing a random subject and message body, as well as an attachment with a double file extension. If the attachment is executed, the worm will send infected messages to addresses found on the system. It will also attempt to shut down any anti-virus software running on the system, and will open up a network port which will allow a remote hacker to access the machine. The worm can also spread via Windows network shares. |
| Reference Link | More INformation |
| Attack | Name:W32.Bugbear Important notes about the manual removal procedure: These instructions are to be used only if you cannot download or run the W32.Bugbear removal tool. 1. -- run LiveUpdate to install Norton AntiVirus definitions dated 9/30/02 or later 2. -- reboot the system into Safe Mode 3. -- run a full system scan of the user's hard drive 4. -- delete all files detected as W32.Bugbear@mm 5. -- delete all files detected as PWS.Hooker.Trojan (this is the backdoor tool) 6. -- the worm creates three .dll files in the %System% directory, and two .dat files in the %Windows% directory on the machine. These files have random filenames, and are not currently detected by the 9/30/02 NAV definitions. They should be deleted manually. 7. -- remove the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ 8. -- change all passwords on the machine, as the existing passwords have most likely been compromised by the worm |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.