The steady progress of the Bugbear worm highlights the fact that a large number of computer systems -- and user mindsets -- aren't properly configured.
Bugbear can spread either through e-mail or through network shares. It takes advantage of a vulnerability in Internet Explorer, so a user doesn't have to double-click on the attached worm for it to run.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
The worm uses a host of subject lines, rather than a single incriminating line, that make infected messages difficult to filter. It also pulls fragments of real e-mails from infected systems and uses them to give its bogus messages more credibility. Bugbear is also called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.
Here are a few tips culled from interviews with different antivirus experts this week to help your enterprise guard against Bugbear:
Update antivirus software. This may be trivial, but it is imperative, especially for home users and small businesses without IT departments. All the major antivirus software vendors have been offering signature files to protect against Bugbear since Monday.
End users who are prompted to install antivirus software because of Bugbear should be aware that the worm targets antivirus processes. In other words, installing the software on an infected machine may be ineffective. There are free Web-based antivirus scanners that users can use to make sure they aren't infected before installing a package.
Check to make sure Internet Explorer doesn't have MIME vulnerability. Bugbear exploits a year-old vulnerability in Internet Explorer that causes attachments to be automatically executed when a message is opened or viewed in the preview pane.
Block files with .exe, .pif and .scr extensions at the gateway. The worm often comes with a double extension ending with .exe, .scr or .pif. For most companies, blocking such files routinely would be a smart and unobtrusive precaution.
Plug any unnecessary or unused network shares. Besides e-mailing itself using its own SMTP engine, Bugbear can also copy itself via network shares. Any network resource, even a printer, is susceptible. Though it won't infect printers, the worm will cause them to spit out hundreds of pages of its garbled binaries.
The worm's ability to spread via network shares means it only needs to be opened by one person at a company. It can then spread itself all around the corporate network.
User education. Bugbear arrives with a variety of subject lines, many of which smack of spam. Users should get in the habit of deleting messages that appear to be spam without even opening them.
End users should also remember not to open an attachment unless they know exactly what the file is. Bugbear spoofs e-mail addresses, so it appears infected e-mails came from PCs that did not actually send the worm. So one can't necessarily trust an e-mail attachment simply because it came from a trusted sender, even if the sender is the president of the company. The best route is to e-mail the sender to ask whether he sent an e-mail with an attachment.
Users shouldn't click on attachments from any source. Instead, they should right-click on an attachment and download it. By doing this, antivirus software will scan the file.