Description of virus alert about the W32/Bugbear@mm virus

The W32/Bugbear@mm worm spreads through e-mail messages and network shares. E-mail messages that are used by the W32/Bugbear@mm worm may use the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability to run automatically on some computers when an infected e-mail message is viewed. For more information about this vulnerability, see the Microsoft Security Bulletin at the following Microsoft Web site: For more information about this vulnerability, see the PSS Security Response Team Alert at the following Microsoft Web site:

The W32/Bugbear@mm worm arrives in an e-mail message with one of the following subject lines in the Subject box. The subject lines are not limited to those that are in the following list:

• Found
• 150 FREE Bonus!
• 25 merchants and rising
• Announcement
• bad news
• CALL FOR INFORMATION!
• click on this!
• Correction of errors
• Cows
• Daily Email Reminder
• empty account
• fantastic
• free shipping!
• Get 8 FREE issues - no risk!
• Get a FREE gift!
• Greets!
• Hello!
• history screen
• hotmail.
• I need help about script
• Interesting
• Introduction
• Just a reminder
• Market Update Report
• Membership Confirmation
• My eBay ads
• New bonus in your cash account
• New Contests
• new reading
• News
• Payment notices
• Please Help
• Report
• SCAM alert
• Sponsors needed
• Stats
• Today Only
• Tools For Your Online Business
• update
• various
• Warning!
• Your News Alert

Both the body and the attachment of the e-mail message appear to have varying characteristics. For example, the attachment appears to regularly use a double extension, such as ".exe.pif" (without the quotation marks).

The W32/Bugbear@mm worm also spreads through network share propagation.

The W32/Bugbear@mm worm also tries to turn off (disable) antivirus software related processes and installs a Backdoor Trojan with a randomly generated file name and .dll extension. The Backdoor Trojan is a keystroke logging Trojan that communicates over port 36794.

Contact your antivirus vendor for additional details about the W32/Bugbear@mm worm.

Prevention

1. Block potentially damaging attachment types at your Internet mail gateways.
2. This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:
   http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx (http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx)
   To obtain the most recent cumulative security patch for Microsoft Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020, visit the following Microsoft Web site:
   http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx)
3. If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus, and the majority of other viruses that are borne by e-mail messages, from running.
   
   Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.
   
   To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:
   http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN (http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN)
4. You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
   291387  (http://support.microsoft.com/kb/291387/EN-US/ ) OLEXP: Using Virus Protection Features in Outlook Express 6
   Earlier versions of Microsoft Outlook Express do not contain attachment-blocking functionality. Use caution when you open unsolicited e-mail messages with attachments.
   
   
5. Using a program-level firewall can protect you from being infected with this virus through Web-based e-mail programs.

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:

Related Security Information

For additional information about viruses, visit the following third-party Web sites: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional security-related information about Microsoft products, visit the following Microsoft Web site: