Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2002-2018 Michel Arboi & Thomas ReinkeBUGBEAR.NASL
HistoryOct 03, 2002 - 12:00 a.m.

Bugbear Worm Detection

2002-10-0300:00:00
This script is Copyright (C) 2002-2018 Michel Arboi & Thomas Reinke
www.tenable.com
36
JSON

The BugBear backdoor is listening on this port. An attacker may connect to it to retrieve secret information such as passwords, credit card numbers, etc.

The BugBear worm includes a keylogger and can kill antivirus and firewall software. It propagates through email and open Windows shares.

Depending on the antivirus vendor, it is known as Tanatos, I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, WORM_BUGBEAR.A, Win32.BugBear…

#
# This script was written by Michel Arboi <[email protected]>
# Well, in fact I started from a simple script by Thomas Reinke and
# heavily hacked every byte of it :-]
#
# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]> (nb: this domain no longer exists)
#      Added links to the Bugtraq message archive and Microsoft Knowledgebase
#
# There was no information on the BugBear protocol.
# I found a worm in the wild and found that it replied to the "p" command;
# the data look random but ends with "ID:"  and a number
# Thomas Reinke confirmed that his specimen of the worm behaved in the
# same way.
# We will not provide the full data here because it might contain
# confidential information.
#
# References:
#
# Date: Tue, 1 Oct 2002 02:07:29 -0400
# From:"Russ" <[email protected]>
# Subject: Alert:New worms, be aware of internal infection possibilities
# To:[email protected]
#

# Changes by Tenable:
# - Revised plugin title (12/28/10)
# - Add MSKB script_xref (8/29/17)

include("compat.inc");

if (description)
{
 script_id(11135);
 script_version("1.37");
 script_cvs_date("Date: 2018/11/15 20:50:16");

 script_cve_id("CVE-2001-0154"); # For MS01-020 - should be changed later
 script_bugtraq_id(2524);
 script_xref(name:"MSFT", value:"MS01-020");
 script_xref(name:"MSKB", value:"290108");
 script_xref(name:"MSKB", value:"329770");

 script_name(english:"Bugbear Worm Detection");
 script_summary(english:"Detect Bugbear worm");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has been compromised.");
 script_set_attribute(attribute:"description", value:
"The BugBear backdoor is listening on this port.  An attacker may
connect to it to retrieve secret information such as passwords,
credit card numbers, etc.

The BugBear worm includes a keylogger and can kill antivirus and
firewall software.  It propagates through email and open Windows
shares.

Depending on the antivirus vendor, it is known as Tanatos,
I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,
WORM_BUGBEAR.A, Win32.BugBear...");
 script_set_attribute(attribute:"see_also", value:"https://www.sophos.com/en-us/search-results.aspx?search=w32bugbeara&refine=7edf01e4de3c4c8791a56ba6ce685d09");
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db7425b2");
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?45f1d49b");
 script_set_attribute(attribute:"see_also", value:"http://vil.nai.com/vil/content/v_99728.htm");
 script_set_attribute(attribute:"see_also", value:"http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-020");
 script_set_attribute(attribute:"solution", value:
"- Use an Antivirus package to remove it.
- Close your Windows shares
- Update your IE browser
  See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/03/30");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/10/03");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Michel Arboi & Thomas Reinke");
 script_family(english:"Backdoors");
 script_require_ports(36794);
 script_dependencies("find_service1.nasl");
 exit(0);
}

#

include("global_settings.inc");
include("misc_func.inc");

port = 36794;

if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);

# We just need to send a 'p' without CR
send(socket: soc, data: "p");
# I never saw a buffer bigger than 247 bytes but as the "ID:" string is
# near the end, we'd better use a big buffer, just in case
r = recv(socket: soc, length: 65536);
close(soc);

if ("ID:" >< r) {
 security_hole(port);
 register_service(port: port, proto: "bugbear");
 exit(0);
}

Related

openvas 2
cert 1
cvelist 1
cve 1
securityvulns 1
openvas
openvas
Bugbear worm
2005-11-03 00:00:00
Bugbear worm
2005-11-03 00:00:00
cert
cert
Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML
2001-03-31 00:00:00
cvelist
cvelist
CVE-2001-0154
2001-05-07 04:00:00
cve
cve
CVE-2001-0154
2001-05-03 04:00:00
securityvulns
securityvulns
Advisory CA-2001-06
2001-04-04 00:00:00
JSON
Related for BUGBEAR.NASL
openvas2cert1cvelist1cve1securityvulns1