[CSRT] eSafe Alert - Win32.BugBear - Medium risk - eSafe Protects You

Aladdin Content Security Response Team - Virus Alert

Win32.BugBear Vandal

Virus/Vandal name: Win32.BugBear Vandal
Threat Level: Medium
Alias: NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,
Platforms: Win 9X,Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Updated on: October 01, 2002
Arrival Form: Email
Type: Win32,Trojan
Damage: Create files,Send Email,Remote control,Theft of

Win32.BugBear is an email propagating Trojan exploiting Outlook Express
MIME type vulnerability. It sends information about the infected PC.
Upon arrival, it will usually self-execute on unhatched systems vulnerable
to the MIME type vulnerability. A patch for the MIME vulnerability in
Outlook Express 5 and 5.5 is available from Microsoft:

Upon execution it will save a copy of itself under a random name in the
Windows System directory and will run on every restart or login by
inserting itself in the StartUp folder.

The Arriving Email

From: A spoofed sender address.

Subject: A random subject from the following list (possibly other subject
$150 FREE Bonus!
25 merchants and rising
bad news
click on this!
Confirmation of Recipes?
Correction of errors
Daily Email Reminder
empty account
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
history screen
I need help about script!!!
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
Payment notices
Please Help...
SCAM alert!!!
Sponsors needed
Today Only
Tools For Your Online Business
Your Gift
Your News Alert

Attached files:
A random file name with double extension and the last extension is .EXE,
SCR, or .PIF
May also contain random attached files from an infected PC.

Malicious Activity
1. It searches for email addresses in the Windows Address Book and in
files with the extensions EML, MMF, MBX, TBB, OCS, DBX and NCH. It will
send itself using its'''' own SMTP engine.
2. It will attempt to stop the processes of various anti-virus and
personal firewalls it finds running.
3. It will listen on port 36794, waiting for remote control incoming
connections. This can allow a remote hacker full PC control.
4. It may run a keyboard logger to eavesdrop keyboard strokes.
5. It creates the following encrypted DLL and DAT files in the Windows
System directory:

eSafe Users
eSafe Gateway and Mail users are protected against this vandal with the
MIME-type exploit protection.
eSafe Gateway and Mail also block by default malicious files with double
extensions and files with the .PIF and .SCR extensions.

A vandal/virus signature update will be available shortly.

New Users
More information about eSafe Content Security Products as well as trial
versions are available from: http://www.ealaddin.com/esafe


For any information please feel free to contact us.
New security alerts, updates and information can be found at the CSRT
website: http://www.ealaddin.com/csrt

      eSafe CSRT

Aladdin. Securing The Global Village
eSafe Protects You - http://www.esafe.com

For any eSafe related questions, please contact esafe.support@ealaddin.com
This email is being sent by Aladdin Knowledge Systems Inc. (www.eAladdin.com)
You have received this message because our records indicate that you have
requested this information. Our mailing list is for the exclusive use of
Aladdin Knowledge Systems and is neither sold nor given to third parties.
If you no longer wish to receive emails from Aladdin, or your email address
has been added to our list without your consent, please unsubscribe by visiting:
Thank you.