IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Advisory 02-008

“W32.Bugbear@mm or I-Worm.Tanatos”
October 3, 2002

The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten the awareness of an e-mail-borne worm known as W32.Bugbear or I-Worm.Tanatos. This network-aware worm, which is being circulated as an e-mail attachment, appears to target machines running Microsoft software. The worm is attached to e-mails with a wide variety of subject lines such as "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift," and appears to use randomly generated names to avoid detection by anti-virus software, as well as multiple file extensions to disguise the fact that it is an executable file. W32/Bugbear-A tries to copy itself to all types of shared network resources. The anti-virus industry has reported that this worm has infected over 22,000 systems in the past 24 hours and is continuing to grow. Due to its keystroke logging and backdoor capabilities, the worm is capable of intercepting victim’s Internet activity, for example, credit-card information, banking information, usernames and passwords. The NIPC is urging all infected owners to change logins and passwords after the infection has been reported and removed. System administrators should be aware that attackers could exploit these vulnerabilities to gain remote access which could enable the attacker to take any action desired, such as installing malicious code; running programs; and, reconfiguring, adding, changing, or deleting files.


The Bugbear worm arrives in victims' in-boxes in the form of a random e-mail. The only constant signature of the worm has been the size of the attachment, which to date has been 50,688 bytes. The virus installs a Trojan horse component called “PWS-Hooker” on infected machines. The Trojan program searches for and tries to disable a number of common Windows processes, and popular anti-virus and firewall software. The actual infected file arrives as an attachment. The subject line, name of the attachment, and text in the body of the message can vary; the attachment name typically has a double extension, such as “.doc.pif.” The worm may also attempt to determine the presence of an Apache 1.3.26 web server and relay this information to an external email address; it continuously looks for and terminates processes by listening to port 36794/tcp and port 137/udp. When a remote system is restarted, the worm's file gets control and infects a system.

The worm exploits the MIME and IFRAME vulnerability in versions of Microsoft Internet Explorer 5.01 and 5.5. However, users running Internet Explorer 5.01 service pack 2 are not affected by this vulnerability. These vulnerabilities may allow an executable attachment to run automatically, even if the user does not double-click on the attachment. An option in Microsoft Internet Explorer executive preview pane allows users to view e-mail without clicking on the email. Users can delete the e-mail before viewing in the preview pane by turning the option off until appropriate patches have been applied.

Microsoft has issued a patch to secure against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-27.asp
(This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

Several anti-virus software vendors have updated their signature files to recognize this worm in an attempt to stop the infection upon contact. In some cases, anti-virus software will remove an active infection from your system. Additional information obtained at:

Central Command





The NIPC strongly urges the community to consider applying patches from Microsoft to secure against these attacks. All versions of Windows are vulnerable to this worm's ability to arrive via open file sharing. Users of Macintosh, Linux, and Unix are not at risk. Users of Internet
Explorer 6 should be safe from the e-mail portion of this worm.

The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.