> l that W32.Bugbear.Bmm 'contains routines that specifically affect
> financial institutions. This functionality will cause the worm to send
> sensitive data to one of ten hard-coded public Internet e-mail
> addresses. The information sent includes cached passwords and
> key-logging data.' It attempts to terminate processes of various
> antivirus and firewall programs (see above!) It copies itself to
> accessible shares (my 95 machine has no LAN shares on it, but,
> practically the whole 2000/XP machine, not only the shared folders,
> is accessible, since the 95 user is administrator on it - the drive
> letters are just hidden for him, but not inaccessible).
> I don't have any suspect ***.exe's in any Startup folder on any
> system. In my 95's C:\Windows\System I have 5 5,632 bytes DLL's, but,
> all seem to be legitimate Windows DLL's and none is randomly named
> (as the article describes the PWS.Hooker.Trojan, dropped by the worm
> for keylogging). I don't see any suspect *.exe in my network shared
> doents, but, Symantec says it infects files matching filenames
> like regedit.exe, mplayer.exe, notepad.exe etc. However, I don't seem
> to have any file from the Symantec's list in my Shareddocs (All
> users\Doents), but, I also have a shared program repository on
> that (2000/XP) machine and, although the exe's there are mainly just
> installation archives and never installed programs themselves,
> there're hundreds of them and I hardly can be sure non of the
> filenames matches any from the list. AVG has detected nothing. It
> doesn't seem that I have 1080 port open on any system.
> If an attachment is .js or .scr (and W32.Bugbear.Bmm *is*) it may
> execute without an user's action, am I right?Although I am sure I
> have never opened the infected message in Eudora and I really don't
> believe it has even ever been displayed in preview window...
> So I might seem paranoiac, but... NAV protection crashes and memory
> problems strangely coincide with the worm's arrive. And the nature of
> the threat is very... delicate. I am certainly not a 'financial
> institution' :)) but I do, from time to time, do online financial
> transactions. Well, I assume that now it has been put out of combat
> (is it?), but, I need to be sure it hasn't sent any information
> before being put in quarantine. Meanwhile I'll use Linux for online
> payments. Although... *if* the 2000/XP machine is infected too, maybe
> the worm, somehow, can intercept the traffic passing through it's
> ICS? I need to know A) whether I have any way to find out if any
> information has already been sent from the W95 system? B) How can I
> be absolutely sure that the XP/2000 machine is free of that worm?
> An additional question, please: after the incident (only after :( ),
> I've added to my Mercury server rules like this - to delete any
> incoming message that in the mess. body contains lines matching
> "*Content-Type: application/octet-stream*" AND "*filename="*.scr""
> (and by ogy for .js and
> .pif, I probably should add .vbs) But... *this* worm is
> characterised by incorrect MIME headers, so it can say 'Content-Type:
> image/jpeg' (matching the type of the file whose name it has
> 'stolen'), and then contain - a .scr file! So, I suppose my rules
> wouldn't block it and I'm afraid that only "*filename="*.js"" might
> be too restrictive. Opinions? A better way to create rules?
> I apologise for the long post and will greatly appreciate any
> response. Thanks in advance.