Bugbear and Opasoft Hype or reality?

Discussion in 'malware problems & news' started by Primrose, Oct 2, 2002.

Thread Status:
Not open for further replies.
  1. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Danger of virus: Bugbear and Opasoft Hype or reality?

    VSantivirus no. 817 - Year 6 - Wednesdays 2 of October 2002

    Danger of virus: Bugbear and Opasoft Hype or reality?
    http://www.vsantivirus.com/02-10-02.htm

    By Jose Luis Lopez
    videosoft@videosoft.net.uy


    While our own system of monitoreo, as they spend the hours, every time reports more and more infections of the worm Bugbear (or Tanatos), in Europe some consulted experts are astonished of this amount, since there they have seen very few cases (still).

    One is a Hype (exageración of an event, in this case on the part of manufacturers of antivirus and some press), or really is a plague.

    In the case of the Bugbear, we think that if is a plague, and we ventured ourselves to say that this worm to probably clears to the Klez its record him of almost 6 months in the first positions by amount of reported infections. Our system of monitoreo at the moment reaches 62 infected messages (confirmed reports, because there are many more according to the messages of our readers).

    On the other hand, the second announced threat almost at the same time, the Opasoft (or Opaserv), not ameritó of our part a bulletin of urgency (as in the case of the Bugbear), because in spite of the news of the press and some manufacturers of antivirus, we did not receive any report of incidence (and we have not either received it until this moment at least).

    It is really a threat. In the case of the Opasoft, it is necessary to take with well-taken care of this affirmation. Almost surely this worm, through its characteristics, will happen to be one of so many, without greater risks of propagation. And the one really seems to us a exageración that has put it in a so high degree of alert.

    The Bugbear however, has all the characteristics to become a nightmare. It is sent in messages with subjects and random texts. It is executed with single reading it or visualizing it. And still with the patches of the Internet Explorer and Outlook Express that prevent this (or with IE 6), much people respond that IF to a question that always would have to be NOT (the unloading and execution of a file, according to the alert message that a parchado system usually presents/displays).

    Personally we faced in a single day (first after the appearance of the worm), to users who had become infected in spite of these precautions and to have an active antivirus, single because these antivirus had accidentally been updated Saturday, while the worm did its public appearance Monday. This single one demonstrates the important thing that it is to update every day to us (even more of once to the day). Our suggestion is to do it at least like first "task" whenever we connected ourselves to Internet, or of programming our software to do it every 3 or 4 hours if we have connection of 24 hours to Internet.

    To intention, who they ignore to be infected with the Bugbear, one of its characteristics, (similar to the one of another well-known virus), is the one to repeat certain characters when something is being written (two commas or comiles for example, instead of one). This must his ' keylogger', that is to its possibility of capturing all the writing by the user. And because its source code is not prepared for the Spanish, east effect takes place that can allow at least to know that it has become infected.

    The statistics that we presented/displayed next, single like illustration of the behavior of both worms, of course are totally partial (single it belongs to a antivirus manufacturer). But they reflect of some way the well-known differences by countries, and still by continents, that certain infections cause. For example, the fact that the Bugbear, when propagating, takes subjects and contents in our language, turns it a threat greater than any other virus, announced as it plagues in territories of English speech, and that by their language end up causing very few incidences in countries of Hispanic speech.


    Statistics of worm BUGBEAR.A
    Por continente:

    Europa ........................ 861
    América del norte ............. 479
    Australia y Nueva Zelanda ..... 152
    Sudamérica .................... 177
    Asia .......................... 87
    Origen desconocido ............ 15
    Africa ........................ 11

    Total ......................... 1782

    Por países:

    Alemania ...................... 624
    Estados Unidos ................ 434
    Australia ..................... 107
    Brasil ........................ 102
    Reino Unido ................... 78
    Argentina ..................... 63
    Holanda ....................... 46
    Nueva Zelanda ................. 45
    Canadá ........................ 36
    Portugal ...................... 31

    Por porcentaje:

    Australia y Nueva Zelandia .... 18.6%
    Africa ........................ 9.6%
    Sudamérica .................... 8.6%
    Europa ........................ 3.2%
    Norteamérica .................. 1.3%
    Asia .......................... 1.2%

    Fuente: Trend Micro World Virus Tracking Center

    Estadísticas del gusano OPASOFT.A

    Computadoras infectadas al 30/set/02:

    Por continente:

    América del norte ............. 248
    Asia .......................... 201
    Sudamérica .................... 81
    Europa ........................ 66
    Australia y Nueva Zelanda ..... 8
    Africa ........................ 3
    Origen desconocido ............ 3

    Total ......................... 610

    Por países:

    Estados Unidos ................ 188
    Japón ......................... 134
    Brasil ........................ 62
    Canadá ........................ 46
    Taiwan ........................ 27
    Corea ......................... 25
    México ........................ 14
    Francia ....................... 10
    Holanda ....................... 10
    Reino Unido ................... 8

    Por porcentaje:

    Sudamérica .................... 4.3%
    Africa ........................ 2.9%
    Asia .......................... 1.9%
    Europa ........................ 1.7%
    Norteamérica .................. 1.0%
    Australia y Nueva Zelandia .... 0.6%
    Source: Trend Micro World Virus Tracking Center
    References:

    W32/Bugbear.A (Tanatos), a worm of fast propagation
    http://www.vsantivirus.com/bugbear-a.htm

    W32/Opasoft.A. One propagates through port 139
    http://www.vsantivirus.com/opasoft-a.htm

    ______________________________________________

    Standalone Removal Tool

    Win32.BugBear.A@mm
    info AntiBugBear.exe


    http://www.bitdefender.com/html/free_tools.php
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks John.

    Without going into the accuracy from this source:

    We've had reports the cleaning tool from BitDefender actually fails on occasions. Is this news to you?

    regards.

    paul
     
  3. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > We've had reports the cleaning tool from BitDefender actually fails on occasions. Is this news to you?

    There are numerous reports about this and Norton's Bugbear cleaners failing and/or breaking something ... but there's always the possibility that "another" virus is active in memory alongside Bugbear, and this could produce unexpected results when using any standalone cleaner.

    As fas as I know, our Bugbear cleaner (by Paolo Monti, NOD32 Italy) works OK ... it has been downloaded thousands of times, and so far no-one has complained that it didn't work.

    We have an Opaserv cleaner online too, by Anders Nilssen, NOD32 Scandinavia.

    ( http://www.nod32.com.au ... links on the front page )

    Ideally, an infected user should download and install the latest version of his/her antivirus program of choice to deal with brand new viruses ... but Bugbear can prevent this on a pre-infected machine by attacking the newly installed AV process.

    NOD32 is one of the very few antivirus programs which Bugbear doesn't attack (no ... I didn't write it! :) ) which is probably why we've had a massive upsurge in trial version downloads over the past few days.
     
  4. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    .
    There are many reports of Bugbear and Opaserv standalone cleaners from various antivirus vendors either not working or trashing something.

    The problem with one-off cleaners is that they are aimed at a specific virus, and they may not work as designed if "other" viruses are active in memory. You could end up with a disaster on your hands.

    It's always best to download and install the latest version of your antivirus program of choice to handle brand new infections ... but this may not be possible with Bugbear because it can attack and kill the newly-installed AV process, leaving you right back where you started. (I doubt that Bugbear will be the last of its type. Bugbear's runaway "success" will inspire other virus coders to use (and improve on) the same routines, and retroviruses will become flavor of the month.) :(

    NOD32's Klez cleaner wasn't aimed specifically at Klez ... it was a fully functional freebie version of the NOD32 Antivirus System, which could not be updated. Despite its size (much bigger than anyone else's Klez cleaner) it was an extremely popular download, as many Klez emails carried other viruses with them and many Klez-specific cleaners failed miserably in the presence of these viruses.

    Our Bugbear and Opaserv cleaners are much smaller, and so far no-one has complained about them not working nor about them causing other problems ... but there's always that possibility.

    Maybe you guys and girls could give me some feedback on this ......

    "Would you prefer to download a large full-bore find-anything cleaner ... or take the risk with a small virus-specific cleaner which may produce unexpected results ?"
     
  5. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Well I'm glad I was running Nod32 when I got hit repeatedly last night :)
     
  6. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Hi Rodzilla.I use NOD32 and I'm very happy with it.You asked a question at the end of your post.I personally would rather use a full-bore find anything tool if I was infected and needed a cleaninig tool for any new virus.
     
  7. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I believe Opasoft is real...suspect Bugbear is being overhyped:

    http://www.mynetwatchman.com/kb/security/articles/opasoft/cumulative.htm

    http://www.mynetwatchman.com/kb/security/articles/opasoft/newinfects.htm
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    Looks like Rod filled in the blanks and I agree with what he has stated..

    I can tell you personally I have had no problem with the PANDA free tool for this Bug Bear..and have not heard anyone else that has.

    And the tool for Opa is also good..no failure to clean to date...if any of that changes...I will let you know.


    I see NetWatchman posted about Bugbear...I do not think it is overhyped o_O but do not know in what context he means that...if it is what his is seeing OK.. but that does not draw the true picture for the rest of the world.
     
  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    On the data stuff..please do not make it an issue..so many places to go to find it and I even have my own ;)

    But one site you can look at is Trend Map..it is a "representation" here is a link if any are interested.

    http://wtc.trendmicro.com/wtc/
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I do agree it's not that easy to put figures on these - worldwide.

    Nevertheless - thanks Lawrence. You do provide a great service.

    regards.

    paul
     
  11. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Many viruses have been hyped to hell and back, and a major problem faced by ethical AVers is that there has been so much Snake Oil spread around by marketroids over the years that it's hard to get a legitimate virus warning posted in the mainstream media. If you do manage to get your warning posted, the general public writes it off as hype anyway, and doesn't believe it until the virus bites them.

    When you read "20000 Bugbear infections reported worldwide" on an antivirus vendor's website, this is the number of reports to that particular vendor ... not the overall worldwide figure.

    Bugbear is not hype! It became more prolific than Klez in the first three days of its life. It's everywhere ... and it's getting worse.
     
  12. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I'd really like to know where that number came from "reported" by who. I'm getting the impression that people are using the udp/137 port scan stats to quantify the number of suspected infected hosts.

    Bugbear is certainly out there...but I'm only seeing it on about .1% of the hosts which are currently generating udp/137 scans...I checked 170,000 hosts today, BTW.

    It's much harder to test a host for a Opaserv infection, but when specifically checking hosts that are sourcing udp/137 scans most are have the scrsvr.exe file on them...hence we are concluding that the source of these scans is Opaserv NOT Bugbear.

    Bugbear may be propagating quickly via email (I don't monitor email...just scanning activity so I don't know), but I'm pretty certain that the only thing really spreading via open file shares is Opaserv.

    BTW, my stats are a *global* perspective, representing the collective experience of 1200 sensors in 47 countries.
     
  13. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    I imagine antivirus vendors arrive at the numbers by correlating reports from their own users and people looking for help with infections.

    I'm not up with all this "host" stuff ... so maybe you can explain how you can tell if I have live viruses active on my PC, and which viruses they are.
     
  14. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    I also do not believe BugBear is hype.

    From what I've seen, you would think people would have learned something from Klez, but many haven't. Also, whether or not the statistics are exaggerated, it probably will surpass Klez soon, because of its inherently more complex nature, and the fact that it seems to spread itself faster than Klez did.

    -Javacool
     
  15. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    I'm the first to admit that some antivirus vendors shovel out a mountain of hype for every trivial virus they think will make them another dollar or two ... I've been bitching about it for years ( see http://www.nod32.com.au/nod32/awards/snakeoil.htm ) ... but Bugbear is neither trivial nor hype.

    Bugbear outstripped Klez in the "spreading faster and further" stakes only three days after it first appeared, and the gap is widening. It's already well on the way to becoming the "big hit" of 2002, and it shows no sign of slowing down in the near future.

    However, ego wars are not uncommon in the virus world, and the major surge in Klez reports we've seen over the past 48 hours or so makes me think that perhaps the Klez author's ego has been stung by Bugbear's "success" and he's done a mass re-release in an attempt to keep Klez in the #1 slot.
     
  16. I assure you all that the Bugbear worm is not hype. My company has intercepted more than 6,000 infected e-mails to date, and more than 800 pointless warnings from Norton, AVG, and Norman.
     
  17. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    I was quoted in Wired several months ago bitching about these useless robot "PoopScan says you sent me a virus" "warnings" in relation to Klez, and in the Sydney Morning Herald last Friday ( http://www.theage.com.au/articles/2002/10/04/1033538762070.html ) in relation to Bugbear.

    The antivirus vendors responsible for this waste of bandwidth (and of other peoples' time and money) know damn well that the chances of such a "warning" ever reaching the actual sender of the virus are virtually zero ... but their programs still keep spewing them out by the thousands. (One could be forgiven for wondering why those vendors didn't notify their users that robot "warnings" about sender-spoofing viruses like Klez and Bugbear are worse than useless, and advise them to switch the feature off.)

    I've named this practice "spamvertising". The name fits!

    Apart from jamming bandwidth with useless and unnecessary traffic, spamvertising also costs me (and everyone else in the antivirus industry) time and money "offline" ... I've lost count of the number of my own users who called complaining "I'm receiving emails telling me I'm sending out the Bugbear worm, but NOD32 isn't detecting it!" in the past week. (Deja vu ... it happened with Klez too.)
     
Thread Status:
Not open for further replies.