Vulners
Lucene search
Bugbear worm
🗓️ 03 Nov 2005 00:00:00Reported by This script is Copyright (C) 2002 Michel Arboi & Thomas ReinkeType 
openvas🔗 plugins.openvas.org👁 97 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Bugbear Worm Detection | 3 Oct 200200:00 | – | nessus |
 | CVE-2001-0154 | 7 May 200104:00 | – | cve |
 | CVE-2001-0154 | 7 May 200104:00 | – | cvelist |
 | CVE-2001-0154 | 3 May 200104:00 | – | nvd |
| Bugbear worm | 3 Nov 200500:00 | – | openvas |
 | Advisory CA-2001-06 | 4 Apr 200100:00 | – | securityvulns |
 | Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML | 31 Mar 200100:00 | – | cert |
 | VulnCheck KEV: CVE-2001-0154 | 25 Aug 200500:00 | – | vulncheck_kev |
# OpenVAS Vulnerability Test
# $Id: bugbear.nasl 6125 2017-05-15 09:03:42Z teissa $
# Description: Bugbear worm
#
# Authors:
# Michel Arboi <[email protected]>
# Well, in fact I started from a simple script by Thomas Reinke and
# heavily hacked every byte of it :-]
# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
# Erik Anderson <[email protected]>
# Added links to the Bugtraq message archive and Microsoft Knowledgebase
#
# Copyright:
# Copyright (C) 2002 Michel Arboi & Thomas Reinke
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
tag_summary = "BugBear backdoor is listening on this port.
A cracker may connect to it to retrieve secret
information, e.g. passwords or credit card numbers...
The BugBear worm includes a key logger and can kill
antivirus or personal firewall softwares. It propagates
itself through email and open Windows shares.
Depending on the antivirus vendor, it is known as: Tanatos,
I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,
WORM_BUGBEAR.A, Win32.BugBear...
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
http://www.ealaddin.com/news/2002/esafe/bugbear.asp
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://vil.nai.com/vil/content/v_99728.htm
Reference : http://online.securityfocus.com/news/1034
Reference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&";
tag_solution = "- Use an Anti-Virus package to remove it.
- Close your Windows shares
- Update your IE browser
See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'
http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx";
# There was no information on the BugBear protocol.
# I found a worm in the wild and found that it replied to the "p" command;
# the data look random but ends with "ID:" and a number
# Thomas Reinke confirmed that his specimen of the worm behaved in the
# same way.
# We will not provide the full data here because it might contain
# confidential information.
#
# References:
#
# Date: Tue, 1 Oct 2002 02:07:29 -0400
# From:"Russ" <[email protected]>
# Subject: Alert:New worms, be aware of internal infection possibilities
# To:[email protected]
if(description)
{
script_id(11135);
script_version("$Revision: 6125 $");
script_tag(name:"last_modification", value:"$Date: 2017-05-15 11:03:42 +0200 (Mon, 15 May 2017) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_xref(name:"IAVA", value:"2001-a-0004");
script_bugtraq_id(2524);
script_cve_id("CVE-2001-0154"); # For MS01-020 - should be changed later
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_name("Bugbear worm");
script_category(ACT_GATHER_INFO);
script_tag(name:"qod_type", value:"remote_banner");
script_copyright("This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke");
family = "Malware";
script_family(family);
script_require_ports(36794);
script_dependencies("find_service.nasl");
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
exit(0);
}
#
include("misc_func.inc");
port = 36794;
if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
# We just need to send a 'p' without CR
send(socket: soc, data: "p");
# I never saw a buffer bigger than 247 bytes but as the "ID:" string is
# near the end, we'd better use a big buffer, just in case
r = recv(socket: soc, length: 65536);
close(soc);
if ("ID:" >< r) {
security_message(port);
register_service(port: port, proto: "bugbear");
exit(0);
}
msg = "
This port is usually used by the BugBear backdoor.
Although OpenVAS was unable to get an answer from the worm,
you'd better check your machine with an up to date
antivirus scanner.";
security_message(port: port, data: msg);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 May 2017 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.16798