W32.Bugbear.B@mm

W32.Bugbear.B@mm worm is:

• A variant of W32.Bugbear@mm.
• A mass-mailing worm that also spreads through network shares.
• Polymorphic and also infects a select list of executable files.
• Possesses keystroke-logging and Backdoor capabilities.
• Attempts to terminate the processes of various antivirus and firewall programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of 10 hard-coded, public Internet e-mail addresses. The sent information includes cached passwords and key-logging data.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

NOTES:

• If you believe your computer may already be infected with W32.Bugbear.B@mm because your antivirus software does not work, scan your system over the Internet with Symantec Security Check.
• Symantec has recorded a Web cast discussing information about W32.Bugbear.B@mm. You can access the Web cast at: https://www76.placeware.com/cc/symantec/view?id=bugb2. Input your name and click View.

Security Response has received many submissions of corrupted W32.Bugbear.B@mm samples. A specific detection for this type of infected file has been added as W32.Bugbear.B.Dam. This detection is available in virus definitions dated June 6, 2003. Be sure to delete the files detected as W32.Bugbear.B.Dam.