Computer worms Bugbear and Opaserv spreading across 'Net

By Ellen Messmer
Network World Fusion, 10/02/02

Two new computer worms, one called Bugbear, the other Opaserv, are spreading across the Internet, each bringing their own distinct peril.

Bugbear spreads through Outlook e-mail infection on the desktop, even able to execute its malicious code without the victim having to click on an attachment to activate the worm if the victim's Microsoft Web browser hasn't been upgraded since this browser vulnerability was identified several months ago. Once activated, Bugbear first checks to see if antivirus or personal firewalls are running on the victim's desktop, and then seeks to destroy them. After that, Bugbear installs a Trojan on the machine that creates a listening service so attackers can connect via TCP port 36794 - a high TCP port not typically assigned - in order to upload or download files at will.

Once a machine is infected, Bugbear is hard to eliminate because "it renames its executables to a random name, and encrypts part of itself," says Tony Magallanez, engineer at security firm F-Secure.

Bugbear propagates by taking e-mail previously sent by the victim and sending it at random to an e-mail address.

"This e-mail contains somebody's real subject line with someone's real e-mail," Magallanez said. Bugbear, which borrows some of its traits from the BadTrans and Klez viruses of the past, is believed to have originated in Malaysia a few days ago, but appears to be gradually spreading elsewhere since then. Computer users should upgrade their antivirus updates to prevent Bugbear from infecting their desktop computers.

Another menace on the loose this week is a worm dubbed Opaserv, which exploits the Windows file-sharing protocol SMB for copying information over to another machine. Opaserv opens a backdoor to connect to a Web site, www.opasoft.com, so the attacker can send files to it. "We don't know much about this because the machine was taken down," Magallenez says.