http://www.vnunet.com/News/1135719 By Iain Thomson [07-10-2002] Networked devices spewing out pages of binary code Bugbear infections look to be levelling off slowly, but the worm's faulty code is having an unexpected side effect. Antivirus companies Sophos and Network Associates have both reported a slow down in infection detection, but overall the worm will top the threat charts for this month. However, a bug in the worm has meant that networked printers are being affected. In some cases the first a company has known about the infection is when the machines start spewing out pages of gibberish. "Most virus writers aren't geniuses and this one is no exception," said Graham Cluley of Sophos. "A fault in the code means that the virus identifies network printers as potential hosts and sends code to them. "The printer then tries to print the code in binary format, which comes out as gibberish. It doesn't harm the printers but the stationary costs are an added annoyance." Bugbear disables antivirus and firewall software and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll. Anything the PC user types via the keyboard, such as passwords or sensitive information, is sent to the originator of the worm via the TCP port 36794. The worm also seeks to infect all other PCs on the network via the address book and network shares. It also takes advantage of a longstanding Microsoft exploit, MS-01/020, as did Klez. A patch for this has been available since March 2001 and can be found here [1]. Sophos has made a free Bugbear removal tool available here [2] that will work with any PC. [1] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp [2] http://www.sophos.com/support/bugbear.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 03:03:39 PDT