ISSN 1444-9994

Symantec Security Response Newsletter

June 2003

Best viewed at 1024x768 resolution

Bugbear Makes a Comeback!


Bugbear made a comeback this month in the form of W32.Bugbear.b@mm. This variant has some significant differences to the original version. Of most concern is the key logging and data export. Of course users wouldn't be infected if their systems were patched up to date. It's the same problem, an old vulnerability, first discovered in March 2001, still giving viruses and worms like Bugbear a way onto your PC.

We are late publishing the June edition, I've been busy with the next version of Symantec's Internet Threat Report, due out in September, analysing the Newsletter survey results and working on the new HTML format.

In response to the survey conducted on this newsletter we have added a couple of new sections, changed a few sections and taken note of your comments. Later editions will be further enhanced but in this edition you'll find a calendar of selected security events and IT Security news links that may be of interest.

One of the more controversial additions are the 'Symantec Solution' boxes embedded in the articles. These are a compromise, we didn't want to carry advertising but many subscribers want to know what products we have to combat security issues, so these boxes are, I think, a reasonable way of covering these issues.

AVAR (Association of anti Virus Asia Researchers) have just issued their call for papers for the conference that will be held in Sydney, Australia later this year. As an AVAR VP I'm proud to be the conference chair on behalf of AVAR for this year. Details of the event are in the calendar.

I've recently had the pleasure of working with Syngress to write the Forward to a new book; Configuring Symantec AntiVirus Corporate Edition (ISBN: 1-931836-81-7). You can get a copy from Amazon here, and no I won't make any money from promoting this link. :)

Best Regards

David Banes


Viruses, Trojans & Worms


Aliases :
Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend], W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [KAV], W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]

Risk : High [4]

Date : 4th June 2003

Systems Affected:
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

W32.Bugbear.B@mm worm is:

- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of ten hard-coded public Internet e-mail addresses


The information sent includes cached passwords and key-logging data.  

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.


NOTE : If you believe your computer may already be infected with W32.Bugbear.B@mm because your antivirus software does not work, scan your system over the Internet with Symantec Security Check .

Symantec Security Response has created a tool to remove W32.Bugbear.B@mm, which is the easiest way to remove this threat.


Write-up by: Eric Chien, Security Response EMEA.

Symantec Security Response

Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend]
Risk :Medium [3]
Date : 25th June 2003
Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me


W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:






The email falsely purports that Yahoo sent it (

Email Routine Details
The email message has the following characteristics:

( NOTE : W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
new document.pif
Re: document.pif


Attachment: The attachment name will be one of the following: (contains Details.pif) (contains Application.pif) (contains Document.pif) (contains (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.

Symantec Security Response has created a tool to remove W32.Sobig.E@mm.


Symantec Security Response


Featured Analyses
from Symantec DeepSight Threat Management System

Fu Rootkit Analysis

Fu is a kernel rootkit created for Microsoft Windows NT4, Microsoft Windows 2000, and Microsoft Windows XP. By directly accessing Windows kernel data structures, Fu creates an effective avenue of clandestine access, which attackers may use to conceal their presence and perform operations with elevated privileges on a compromised system.

Manifesting itself in the form of a device driver, Fu is especially dangerous because it modifies the behaviour of the underlying operating system at the lowest possible level. Once deployed, operations performed via this utility may be extremely difficult to detect.

Spybot version 3 Analysis
Spybot, also known as Milkit, is an open source trojan that contains several mechanisms of propagation. Spybot can spread using file sharing applications and vulnerabilities in other trojans as propagation vectors. Spybot will attempt to take control of systems that were previously compromised and are running the Sub-Seven or Kuang2 trojan. An infected system will connect to an Internet Relay Chat (IRC) channel and wait for the attacker to issue instructions. Once a system has been infected, that attacker will have complete control of the system via IRC.

An attacker can modify the Spybot source code to create a trojan that will meet the attackers needs. The customizable nature of Spybot can result in dynamic behaviour and unique binaries, which can make detection and removal a complex task.

W32.Illpatient IRC-based RAT Analysis
W32.Illpatient is an IRC-based Remote Access Tool (RAT), written in C, which runs on the Win32 family of operating systems. It was obtained from a compromised Symantec DeepSight Honeypot and was found compressed with UPX.

This utility was loaded onto a compromised Symantec DeepSight Honeypot, with what may have been a scripted installation routine, as this utility does not appear to be capable of propagating automatically.

W32.Illpatient receives commands from its owner through Internet Relay Chat (IRC). During startup, it connects to a hard-coded IRC server, and joins a private, keyed channel. Although W32.Illpatient contains several features, including a Denial of Service (DoS) routine, testing has indicated that it is not very stable.


Top Malicious Code Threats

Risk Threat Discovered Protection  


4 Jun 2003 5 Jun 2003  


17 Apr 2002 17 Apr 2002  


25 Jun 2003 25 Jun 2003  


8 May 2003 9 May 2003  
3 W32.SQLExp.Worm 24 Jan 2003 24 Jan 2003  


Latest Malicious Code Threats

Risk Threat Discovered Protection  
2 W32.Vivael@mm 28 Jun 2003 28 Jun 2003  
2 W32.Klexe.Worm 27 Jun 2003 28 Jun 2003  
2 W32.Mumu.B.Worm 26 Jun 2003 26 Jun 2003  
1 W32.HLLW.Lovgate.L@mm 25 Jun 2003 25 Jun 2003  
1 W32.Yaha.T@mm 24 Jun 2003 25 Jun 2003  


Common Vulnerabilities

Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID CVE Reference Exploited by
2524 CVE-2001-0154 W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
2708 CVE-2001-0333 W32.Nimda
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
1806 CVE-2000-0884 W32.Nimda
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
1780 CVE-2000-0979 W32.Opaserv
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution
5311 CAN-2002-0649 W32.SQLExp.Worm


Security News

PetCo Plugs Credit Card Leak
By Kevin Poulsen Jun 30 2003
Pet supply site offered more than kitty litter and flea collars. ... >>

AT&T lets phone fraud victims off the hook
By  Kevin Poulsen Jun 25 2003
The company will abandon its efforts to collect on four-figure phone bills left by a voice-mail cracking scheme. ... >>


Useful Links


Incorrect MIME Header Can Cause IE to Execute E-mail Attachment

Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm

Virus Hoaxes

There are many email virus hoaxes, please check here before forwading email virus warnings.

Joke Programs

Joke programs are not malicious and can be safely deleted.


Security Events Calendar

July 14-19, 2003
Washington, DC, USA.

Department of Homeland Security IT Security Conference
July 9-10, 2003
Baltimore, MD, USA
VB2003 - VB Conference 2003
Sept 25-26, 2003
Toronto, Canada
AVAR 2003 - Malicious Code Conference 2003

November 6-7, 2003.
Sydney, Australia


Security Advisories

FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability

Risk :High

Date :26th May 2003

Components Affected: Many, listed here;


FastTrack P2P Supernode Packet Handler has been reported prone to a buffer overflow vulnerability. The issue presents itself in the FastTrack Supernode packet handler. The handler does not perform sufficient bounds checking on supernode entries received before they are copied into a reserved buffer in internal memory.

An attacker may exploit this vulnerability to trigger a denial of service condition or ultimately have arbitrary attacker supplied code executed. Code execution would occur in the context of the user running an application that incorporates the vulnerable FastTrack P2P Packet Handler.


It should be noted that this vulnerability has been tested on KaZaA version 2.0.2. Other versions of KaZaA and similar file-sharing clients based on FastTrack P2P technology may also be affected.

Block external access at the network boundary, unless service is required by external parties.
If applicable, block all incoming FastTrack P2P based traffic at the network boundary.


Discovery of this vulnerability has been credited to random nut <>.

Source: Grokster Homepage

Source: iMesh Product Homepage

Source: KaZaA Homepage

Source: Morpheus Homepage

Symantec Security Response

PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability

Risk :High

Date :15thJune 2003

Components Affected
PMachine PMachine 2.2.1


It has been reported that PMachine does not properly handle include files under some circumstances. Because of this, an attacker may be able to remotely execute commands.


Block external access at the network boundary, unless service is required by external parties.

Filter untrusted network traffic at border routers and network firewalls.

Running the server in a closed or restricted environment may limit the consequences of successful exploitation. Execute server processes with the least privileges required, and place processes in a restrictive environment.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: .
PMachine PMachine 2.2.1:

Discovery credited to "Frog Man" <>.

Source: SecurityFocus

Source: PMachine Homepage



Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s).  Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.
Follow this link to subscribe or unsubscribe

Last Updated: July 9, 2003