BugBear/Tanatos Worm

Sunday, 6th October, 2002

On September 30 an infectious new virus was first seen 'in the wild'. The BugBear virus or Tanatos worm, as it is now known, has quickly infected millions of computers around the world, with Australia one of the hardest hit countries.

How It Works

The worm infects computers running Windows via email attachments and local network file shares.
Bugbear exploits the IFRAME vulnerability of Internet Explorer. This means that emails that contain HTML (like a web page) and not just plain text have the ability to automatically run any attachments that come with the email. These attachments may contain the virus.
Once the virus infects a computer on a local area network, it is then able to infect other computers connected to the same network via Windows file shares.
After infection, the virus opens a back door on the host computer that can be used to view the contents of the computer's hard disk, upload files to the computer and view contents of other computers on the same network using a web browser.

Virus Symptoms/Effects

Tries to disable any virus scanners or firewalls running on the host computer.
Attempts to spread by sending emails infected with itself to addresses in the address book and in other emails found on the host computer.
Forwards copies of confidential emails with the virus as an attachment. This confuses the receiver and they often open the attachment, trying to understand what the email is about.
The attachment the virus sends with an email is given a name that is derived from other attachments found on the host computer or the names of people contained in emails on that computer.
The person you receive an infected email from is not necessarily the person who has the virus, they are probably just listed in the actual infected computer's email program.
The virus tries to spread to other computers on the same local area network, and a side effect of this is that it will print large amounts of garbage to printers on the network.

Removal

BugBear can be removed using the Stand-alone F-Bugbear removal tool from F-Secure.
Instructions for using this tool can be found here.
If you don't already have a virus scanner, you can download a trial version of F-Secure anti-virus 5.40.
You will also need to update the virus signature database.

Prevention

You can prevent your computer from being infected with the BugBear virus by doing the following:

Keep your computer's software up to date by downloading patches.
This is especially important for network and internet software such as:
- Internet Explorer
- Outlook Express
- Netscape
Configure Windows to show you the file extensions of all files (e.g. .exe, .doc, .xls). This ensures that files can't pretend to be a different type of file by using a double file extension (eg virus.doc.exe).
You can disable hiding file extensions by:
1. Open Windows Explorer
2. Open the Tools menu (or View menu in Windows 95)
4. Select Folder Options
5. Click the View tab
6. Uncheck "Hide Extensions for Known File Types"
Be very careful when opening emails with attachments. Only open attachments when you know who they are from and what type of file they are. To be safe, never open attachments with any of the following extensions :
- .com
- .exe
- .bat
- .pif
- .vbs
- .js
Be very careful opening files that open in Microsoft Office, such as:
- .doc
- .xls
- .mdb
These files can contain macros - small programs that run within Word or Excel, and can damage your computer.
Never accept files with double filename extensions, eg. document.doc.pif, or spreadsheet.xls.exe.

Links to More Information and Downloads

Bugbear/Tanatos virus description: http://www.f-secure.com/v-descs/tanatos.shtml
Tips on avoiding computer worms: http://www.f-secure.com/virus-info/tips.shtml
SMH report from October 1,2002: http://www.smh.com.au/articles/2002/10/01/1033283478736.html
SMH report from Oct 4,2002 - Bugbear hits hard: http://www.smh.com.au/articles/2002/10/04/1033538762070.html
Global Bugbear Worm Information Centre: http://www.europe.f-secure.com/bugbear/
Stand-alone F-Bugbear removal tool: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bugbr.zip
Stand-alone F-Bugbear removal tool instructions: ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bugbr.txt
Download trial version of F-Secure Anti-Virus 5.40: http://www.f-secure.com/download-purchase/list.shtml
Update the signature databases of F-Secure Anti-Virus: http://www.f-secure.com/download-purchase/updates.shtml
MS Release of corrected version of patch for IFRAME vulnerability: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-042.asp