The W32/Bugbear.B@MM Spawns A Variant; Makes Problems at U-M
21 June 2004
By Bruce P. Burrell
for the U-M
antivirus team
On Wednesday 14 June 2004, a unit at U-M was afflicted by a variant of
the W32/Bugbear virus.
***********************************************************************
Unfortunately, this variant -- no matter what Bugbear variant it is
called -- is destructive: it overwrites its host, so it is necessary to
reinstall the overwritten files from originals or uncorrupted backups.
According to our staff who have been working on this, the net effect is
that the whole machine needs to be re-imaged.
***********************************************************************
Time line and tech details:
-
NAI sent us an "extra.dat" file to deal with it early Wednesday
afternoon 16 June 2004. The tentative identification was "W32/Bugbear.C",
though that particular Bugbear was already known to exist. The sample we
have seen is viable; NAI suspected that it was a corrupted form of
Bugbear.C.
-
On Friday, NAI sent us an improved extra.dat, now recognizing this as
a variant of "Bugbear.B."
-
We placed these drivers on the email gateway as soon as they were
available, then immediately alerted the Email Gateway Notify group.
-
Later on Friday, NAI included recognition of this new variant
in its "Daily DATfiles", calling it W32/Bugbear.j. We did not attempt to
deploy this -- like extra.dat files, it can't be automated within VirusScan
itself (VirusScan 8 can autoupdate extra.dat files, though, which will be
welcome!).
- UPDATE
On Monday 12 June 2004 NAI informed us that this will be recogized as
"W32/Bugbear.B" by the drivers released on 23 June 2004. [Hence the
original "Procedure B" has been removed below.]
Note that extra.dat files must be installed manually, unless the McAfee
Electronic Policy Orchestrator (ePO) or some other management solution
(SMS, ZenWorks, etc.) is deployed.
So: while it appears that this has been seen at only one unit on campus
-- and to the best of our knowledge, nowhere else in the world -- it has a
major impact if the machines get infected. Hence we urge you to take
special action to make sure that this virus does not get a grip in YOUR
neck of the woods:
Installation Procedure for the extra.dat
-
Download the extra.dat containing the new Bugbear drivers.
-
Store it with the current DATfiles (CLEAN.DAT, NAMES.DAT, and
SCAN.DAT):
-
For default installs of VirusScan 7, copy this file to all your
machines in the
C:\Program Files\Common Files\Network Associates\Engine
folder
-
For VirusScan 4.5.1, the same file should live in the
C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx
folder. Note that "xx" is literal -- it is not a variable, and
of course this path is all on one line, though it probably wraps
in your emailer.
-
While usually not necessary, it's a good idea to reboot the machine
at this point, then scan the box. Assuming you are using our
current extra.dat, you should see infected boxes reported as being
compromised by W32/Bugbear.b
-
Infected machined should be rebuilt, if our information is correct;
if you get the extra.dat onto a machine before it is compromised, we
expect that it should be protected.
When the drivers for this variant are available in the "normal" drivers
(probably the ones released this Wednesday), you may want to take extra
action:
As soon as drivers that recognize
this
are available: it would be best if you removed the extra.dat and replaced
it with the new one that will be at the same URL.
Then you will have "exact"
identification of
Bugbear.j, instead of seeing it as Bugbear.b. That said, the definition in
the extra.dat for the new Bugbear variant will expire automatically on
07/07/2004.
This information lives at
http://virusbusters.itcs.umich.edu/bugbear-b.html
-BPB
virus.busters@umich.edu
ITCS | University of Michigan
Copyright © 1996-2004 The Regents of The University of Michigan
 visits since 06/21/04 22:30 EDT
|
