Weekly Virus Report – BugBear.B, Sobig.C, Redisto.B, Festival and Naco.D Worms

This week’s virus report looks at five worms: Bugbear.B, Sobig.C, Redisto.B, Festival and Naco.D. Among them, the variant “B” of Bugbear stands out particularly as, in the last few hours it has caused one of the largest epidemics over the last few months.

Bugbear.B is a dangerous a worm that spreads quickly via e-mail and across shared network drives. This worm automatically activates when the message carrying it is viewed through the Outlook Preview Pane. Bugbear.B does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.

The actions that Bugbear.B carries out include the following:

– It infects a large number of files.

– It disables the security programs installed on the affected computer.

– It opens port 1080, which allows hackers to gain remote access to the affected computer.

– It logs the keystrokes entered in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc.

Redisto.B is a worm that spreads rapidly via e-mail and P2P (peer-to-peer) file sharing programs. After infecting a computer, Redisto.B ends active processes in the affected computer. As a result, some applications will stop working. Redisto.B also saves confidential information belonging to the user of the affected computer and then sends it out via e-mail.

The third worm we will look at in this report is Sobig.C, which spreads via e-mail (in a message that reads “Please, see the attached file”), and across networks. Once it has infected a computer, Sobig.C looks for e-mail addresses in all the files it finds on the affected computer with the following extensions: “TXT”, “EML”, “HTM”, “HTML”, “DBX” and “WAB”. It then sends a copy of itself to all these addresses.

The fourth worm in today’s report is Festival, which spreads quickly via e-mail, shared network drives, and through KaZaA, a P2P (peer to peer) file sharing program. When it spreads via e-mail, Festival is easy to identify, as the message carrying the worm always has the subject “Where are you?”.

Redisto.B, Sobig.C and Festival create several files in the affected computer and insert various keys in the Windows Registry.

Finally, Naco.D is a worm with a Trojan component that allows an attacker to gain remote access to certain resources on the affected computer. As a result, a hacker could carry out the following actions, among others, open and close the CD-ROM tray, switch the mouse button functions, etc. This worm also sends an e-mail message containing information on the affected computer to a certain address. The information it sends includes the operating system installed, number and type of drives installed, etc. Finally, Naco.D disables the security programs installed on the affected computer.