More Info on Bugbear #hungary

Vivian Kahn

RootsWeb Review just issued the following information about Bugbear,
the e-mail worm that has been showing up in our mail. As noted
below, one of the particularly insidious characteristics of this new
plague is that it forges prepends [H-SIG] so it looks like the
message is >from a mail list.

1a. Be Careful Out There. The Bugbear is no teddy bear. It is an e-mail
worm containing backdoor components that can allow an infected system to
be remotely compromised; it also includes the ability to kill antivirus
and firewall software, leaving infected systems wide open to further
attacks and lulling you into a false sense of security thinking your
system is virus-free. Genealogists have much more interesting things to
do than deal with an Internet worm with a Trojan horse, but such is life

Bugbear, which hit Great Britain and Australia users first on Monday,
September 30, according to news reports, is also known as Tanatos. It
arrives via e-mail with no distinct characteristics except that the
attached file is always 50,688 bytes long. The subject line and text are
stolen >from existing e-mail it finds on an infected machine. Many
RootsWeb users are expressing concerns about this latest varmint because
unless you pay extra-careful attention you might think an e-mail with
the attached Bugbear worm is coming >from a trusted genealogy friend,
family member, or >from your favorite Mailing List.

RootsWeb's Mailing Lists do not allow any attachments, but that doesn't
mean you won't receive something that will fool you into thinking the
message is >from a RootsWeb Mailing List. This is one clever worm. There
are confirmed reports of Bugbear even forging some prepends commonly
used on many of our Mailing Lists. If you receive e-mail with an
attachment that appears to be >from say [SURNAME-L] and you are not
subscribed to that Mailing List, that is a good indication that it is a
message with the Bugbear worm attached. Even if you are subscribed to a
certain list and there is an attachment, do not open it.

Many of us are still fighting off the Klez worm, which steals and forges
our e-mail addresses and subject lines, and now along comes Bugbear and
the Opaserv worms. The latter is a network worm that was discovered
September 30 also.

Are you at risk? You certainly are if you are a Windows user, and
especially if you use Microsoft Internet Explorer 5.01 or 5.5 browsers
and have not applied the patch found in MS01-020.
[Note: Copy and paste carefully; this is a 2-line URL:]

According to CNET, a flaw in MIME (the multipurpose Internet
mail extensions) lets a malicious program attached to an e-mail message
execute (start) when the text of the message appears in Outlook or
Outlook Express (popular e-mail applications). The software problem was
patched by Microsoft almost 18 months ago, but it is obvious that many
genealogists have not updated their computers. Don't know what version
of Microsoft Internet Explorer you have? Launch the browser, click on
the Help menu and select About Internet Explorer to find out.

To prevent infection, Windows users be sure your system is current:
and everyone should update their antivirus software and refrain from
opening any attachment unless the sender confirms that he or she sent
it to you. The major antivirus (AV) software companies have updated
their files to include protection >from Bugbear -- but you need to be
sure your AV is up-to-date. Moreover, don't rely exclusively on your AV
to protect you >from every virus or worm that comes along.

If you use Outlook or Outlook Express for your e-mail application, be
sure to set your VIEW options to show attachments. In Outlook Express
make sure that the Preview Pane option is off. In Outlook, under VIEW,
turn off the Auto Review and the Preview Pane. Some e-mail clients treat
Mailing List digests as separate attachments, but those will always have
the Mailing List digest request address as the >from address and they
will have the digest volume and number in the subject line. However, be
wary, if attachment is exactly 50,688 bytes, it probably is the Bugbear.

For additional tips and links, please see: Virus, Trojans, Worms:
E-mail headers:

Join to automatically receive all group messages.