News Stay informed about the latest enterprise technology news and product updates.

Bugbear worm still making tracks on network shares

Bugbear worm still making tracks on network shares

The Bugbear worm is hardly in hibernation, with several antivirus experts reporting that its progress has heated up since being discovered Monday.


A new worm that uses network shares to spread and can install a backdoor in systems was discovered on Tuesday.

W32.Opaserv.Worm uses MS Windows NETBIOS services to spread over local and global networks. It's also called Opasoft. Windows 9x systems are affected but Windows NT systems are not.

As a network-aware worm, Opaserv copies itself to remote computers with the file named Scrsvr.exe. It changes the win.ini file so the copied file will be run when the system is started. After infecting a system, the worm tries to download updates of itself from, which has been taken down.

Opaserv looks for IP addresses local networks. When a target is found, it sends data to port 137 (NETBIOS Name Service), and starts its infection routine.

FOR MORE INFORMATION: "Bugbear worm logs keystrokes, opens back door"

"Five ways to be virus-free"

Link to Microsoft security bulletin (including the patch)

Recent webcast on virus management

Feedback on this story? Send your comments to News Writer Edward Hurley

This morning, e-mail security managed service provider MessageLabs reported that it has captured 27,500 copies of the worm, up from 9,400 yesterday. The worm, which travels via e-mail and network shares, is also called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.

Helsinki, Finland-based antivirus vendor F-Secure is seeing as many reports of Bugbear as Klez, the most prevalent worm of the last six months, said Mikko Hypponen, F-Secure's manager of antivirus research. "It's gaining ground fast."

There are two dangers associated with Bugbear.

First, the worm opens a backdoor and installs a keystroke-logging program on infected systems, giving it the ability to harvest passwords and other sensitive information.

Additionally, Bugbear aggressively targets antivirus and firewall software. The worm periodically tries to shut down processes associated with popular antivirus and firewall products.

"There are tens of thousands of computers that had antivirus software a few days ago but now don't have any running," Hypponen said. These systems would be open to other viruses and potentially malicious hacking if firewall software is turned off.

Bugbear spreads by sending itself as an e-mail attachment and through network file shares. The latter functionality may have something to do with its success, because only one user on a network has to open the attachment. Once a machine is infected, the worm can spread itself throughout the network.

This is not just an issue for corporations. Home DSL and cable users could become infected via this method, said Chris Wraight, technology consultant at antivirus vendor Sophos.

Bugbear's e-mail propagating abilities are also quite savvy. The worm takes advantage of IFRAME and MIME vulnerabilities so a recipient doesn't need to open the attached worm for it to execute.

The worm also steals e-mail messages from infected systems and forwards them with copies of itself. The use of real e-mails lends some credibility to the messages, which prompts some recipients to open it. The technique could also send out sensitive information, Hypponen said.

Bugbear also uses a variety of subject lines to entice targets to open the attachment. Some of these include:

  • Hello!
  • update
  • Payment notices
  • Just a reminder
  • Correction of errors
  • history screen
  • Announcement
  • various
  • Introduction
  • Interesting...
  • I need help about script!!!
  • Please Help...
  • Report
  • Membership Confirmation
  • Get a FREE gift!
  • Today Only
  • New Contests
  • Lost & Found
  • bad news
  • fantastic
  • click on this!
  • Market Update Report
  • empty account
  • My eBay ads
  • 25 merchants and rising
  • new reading
  • Sponsors needed
  • SCAM alert!!!
  • Warning!
  • its easy
  • free shipping!
  • Daily Email Reminder
  • Tools For Your Online Business
  • New bonus in your cash account
  • Your Gift
  • $150 FREE Bonus!
  • Your News Alert
  • Get 8 FREE issues - no risk!
  • Greets!

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.