Bugbear runs wild in NZ
- 02 October, 2002 22:00
A number of companies have been stung by the latest virus to attack Microsoft-based email systems including IDG Communications, publisher of this website.
One company, an Australian-based outsourcing firm that didn't want to be named, received the worm from its Melbourne-based parent company, according to its New Zealand manager.
"We blocked it but one of the users said it looked like a legitimate email so we cleared it for them to open."
The worm caused all the shared printers to begin spewing out pages that had one line of nonsense and nothing else.
"It's end of the month so we're trying to print off a lot of reports. That went down really well."
Getting rid of the worm was relatively easy, about 10 minutes' work, but the hassle it caused was tremendous.
"That it referred to something that seemed work-related meant we let it through despite the software blocking it. That really hurts."
Similarly at IDG Communications, having all the shared printers out of action for around an hour and a half also caused headaches for the head of technical support, Karl Martin.
"Each printer on the network began spitting out pages until they ran out of paper. Once we got them up and running again half of them had paper jams as well so it turned into a printer maintenance job as well."
Martin said he first became aware of the problem when his own office printer began spitting out pages.
"It's on the shared network but nobody knows it's there but me so I was very surprised to see it printing."
Martin says while IDG's virus protection is regularly updated a timing issue with the automatic downloads meant the virus arrived before the update.
"We updated on the 29th which was just bad luck."
The country's largest ISP Xtra has installed a server based anti-virus solution and Xtra spokesman Matt Bostwick says Bugbear is primed to knock Klez off its perch as the most widely reported virus.
"We cleared 24,000 emails yesterday and a further 12,000 by 9 o'clock this morning."
Bugbear made its presence felt this week with a peculiar combination of social engineering and technical nastiness.
Not only does the worm include a varying subject line to keep users on their toes, but it also uses multiple file extensions to fool those who do check that it isn't an executable file.
On top of that it hunts down and closes dozens of applications that include most of the major anti-virus software applications.
It installs a trojan back door that opens port 36794 and waits to hear from the worm's creator. It will then delete files, deliver keystrokes and mouse click records to the hacker and so on.
Finally it replicates itself across any network it finds, and it's this last move that's caused the most concern - the worm doesn't differentiate between network devices and so floods shared printers with garbage.