OLEX and the Win32Bugbear Virus

MerpsMom

SGF, Supreme Grumble Framer
Founding Member
Joined
Jul 30, 1997
Posts
4,248
Loc
Leawood, Kansas USA
I just received an e-mail with an attachment, the subject of the e-mail's being: PPFA's Online Exchange Digest. Immediately my AV threw up the warning about the virus. This is the fourth warning I've received about this virus, not all the e-mails have had attachments, but this is the first one I might have been tempted to open. I didn't since I don't participate in HH right now. Anyone else get the Digest thing?
 
No, but I have received 2 from Ted Hitsman about wanting information on software! I don't open ANYTHING from anyone that has an attachment that I wasn't expecting to receive without checking with them first.

With this Hitsman email, I noticed on the HH that there were others who also got a similar message from Ted.

My advice, watch your back and get a good virus program.

Framerguy

(I might add that these emails did NOT come from Ted Hitsman but had his name on them.)
 
I received some today as well -- mine were erroneously From PPFA Online Exchange and had a message that could make one think it was a digest.
I don't recall the subject. It was to __________.

I believe this is a virus that steals one's e-mail addressbook & other havoc.

Bugbear is fairly new -- so EVERYONE make sure your virus update is current!!
 
As Merrill said on the OLE, the email from Ted Hitsman, didn't actually come from Ted. It came from somebody who had acopy of Ted's message in there inbox or filed.

I received a Hitchhikers OLE message today with an Attachment which of course doesn't happen and Norton's immediately picked up the bugbear virus.

The message did not come from the PPFA Hitchhikers server but from Hitchhikers@framesnthings.com. More than likely who ever has the email ending with framesnthings.com is the infected party. Bugbear makes it's own email by combining addresses. The properties buttons for the email will give you more of an idea of the origin of the message. However even the above address came through a couple of locations that could be infected.
SCAN YOUR COMPUTER WITH ANTIVIRUS SOFTWARE, UPDATE WEEKLY.
However if Bugbear is on your system and you try to install Nortons or somesuch Bugbear will disable it.
 
I got both of these to and Norton caught them right away. I don't suscribe to the digest version of the HH anyway, so figured something was wrong. Like Framerguy, I never open anything I'm not sure of. I lost my last computer to a virus and have been very careful with email since.
 
Our internet provider has recently added a number of new services, including one that scans all incoming emails for viruses and deletes them before they get sent to your computer. I just signed up for it. Check with your provider, they may provide a similar service. We use a regional provider called Corecom.
 
This is something that I recently addressed on the Online Exchange.

This worm has the ability to spoof, or forge, the 'From:' field. (Often set to an address found on the victim's machine). Additionally the virus can use a fabricated from address, by taking the name before the "@" sign of one address, and the domain name after the "@" sign of another address. (ie. name1@domain1.com + name2@domain2.com = name1@domain2.com) I received several of this particular "digest" message and the from address was different every time. One was addressed hitchhikers@verizon.net. In the "Hitsman" message you may not have noticed that only the "user" portion of the e-mail address was his, the domain portion being something totaly different.

Because of this, the only thing you can determine about the origin of the email is the originating SMTP server from the headers of the email. With the Online Exchange I am sometimes able to narrow down who might be infected. This, I am hoping, is so with this particular message because the subject means that it is someone that is or was subscribed to the Online Exchange. I have sent a message to the person that I think it may be.

This virus affects systems running the Windows operating system. It does not affect MacOS or Linux environments. It spreads via network shares and by emailing itself. It also contains a back door trojan component that contains key logging functionality.

This worm emails itself to addresses found on the local system. And the addresses it uses do not just have to be in the address book. They can come from any stored file on the system. The virus code contains email subject strings and attachment names. However, the majority of samples received contain information not present in the virus. Suggesting that there is a higher probability of the virus using words and filenames contained on the infected system

For those on the Online Exchange, no attachment is ever sent by the list. And any attachment sent to the list is stripped or rejected completely.
 
I just got one from "Hitchhikers@strato.net(Hitchhikers on line exchange). It was titled PPfa's Online Exchange Digest#1198. I opened the email and noticed there was a download so I closed it. Merrill had just issued something saying the HH would never come with an attachment.

My concern is that I have Norton Anti Virus and nothing jumped up and said "warning". I just updated 3 days ago. I've never had a virus before so I don't know what to expect from the software. I do have it set to fix any virus automatically so maybe it won't tell me when one is found? All this internet stuff seemed so fun in the beginning. Now it just seems tiring and threatening. Just my mood I'm sure.........
 
Kathy, your Norton anti-virus may not kick in until you attempt to download, save or open an infected attachment. Just reading the text portion of a bad email will not usually trigger it.

BTW, for those of us that use Hotmail, I have found Norton's to work much better with Hotmail opened through Outlook Express than it does with Hotmail opened directly.
 
Hey I just had another one from Kakibassi@email.com. I know I recognize the name from HH. It was titled "How the heck are You?" and had an attachment. My inquisitive side wants to open it............but my reasonable side says "be afwaid be vewwy afwaid." For the time being I'm listening to the voice of reason. :eek:

As a rule I save my email for my home computer, I could care less if that one comes down with the most virulent of viruses and comes to a quick death at the hands of it. (I must be feeling hostile today.) I don't usually open anything here unless I know the sender but I guess I am to understand that sometimes even knowing the sender doesn't mean you should open it. Life is just full of parables isn't it?
 
Kathy, even if you don't care what happens to your home computer, a virus could infect it and send itself to everyone on your mailing list. That would include me. I wouldn't like that. Don't do it.
 
Just got email from Kakibassi (?) with a FWD:Day at work. Deleted it also-Ain't this fun?
 
Originally posted by Ron_Eggers:
Kathy, even if you don't care what happens to your home computer, a virus could infect it and send itself to everyone on your mailing list. That would include me. I wouldn't like that. Don't do it.
Don't worry Ron, I wouldn't deliberately do that. I just figure I'm safer getting a virus at home. I am very uneasy with this antivirus stuff. I haven't seen it in action and I fear it won't protect my computer. Right now I am acting on blindfaith so to speak. It is definitely spoiling the internet though.
 
Kathy,
Is your Anti Virus Software setup to scan your email as you bring it in? Nortons can do that an will scan the attachments as soon as they are downloaded.
 
Originally posted by jvandy57:
Kathy,
Is your Anti Virus Software setup to scan your email as you bring it in? Nortons can do that an will scan the attachments as soon as they are downloaded.
Jerry, I have it set up that way but I am only assuming these two emails I've gotten are contaminated because of what is happening on HH and what I've read here. I want proof that the software is working. But I guess as long as I don't download the attachment I'll never know. A couple of other people posted that their software caught the virus so I'm assuming they downloaded the attachment. What a wierd annoying thing to have to worry about.
 
You also want to make sure if you're using Microsoft Outlook, you have it set not to open files or run executables upon receipt. I use Win98, but I also use Eudora for my mail, and I've never had a problem with viruses. I do get them (including these "fake" e-mails, and some interesting things from other peoples In/Out boxes that a virus on their PC sent to me because I was in their address book), but I just delete the files without ever opening or running them.
 
I got the suspect email from Kaki Bassi too. I use a Yahoo mailbox for OLEX and certain other business. All the infected eamils I've gotten so far were sent to my bulk mail folder. Much easier to isolate that way.
Like Kathy, I'm a little skeptical about the virus software working properly. I thik of it as a safety net that I hope won't be needed.
 
Sometimes your email software can give you some clues if it tells you the size of the email before you open it. A 69kb message from the HH OLE has a stowaway attachment and can be safely deleted.

I know it would be reassuring to have your anti-virus software give you some indication that it's working, but as long as it's set up properly and updated frequently, it's doing it's job and there's no reason to panic. The number of "Hey, I got one of those, too!" messages on HH (and here) in the past 24 hours indicates the level of anxiety.

BTW, my front-counter computer that does the POS stuff if not connected to the internet and it's backed-up daily. Everything else is dispensable.
 
Originally posted by emibub:
...I am very uneasy with this antivirus stuff. I haven't seen it in action and I fear it won't protect my computer...
Antivirus software is something like UV-filtering glass. Neither will absolutely prevent harm, but in both cases it's the best protection available.

Virus perpetrators can't defeat the antivirus programmers for very long. So instead, they prey on our mistakes and carelessness. A friend complained that his antivirus software -- same program I use -- let in a virus that wiped out his hard drive. Conversation revealed that he had not updated his program in weeks.

Even the best antivirus programs must be updated frequently. Norton's recent versions have an option for automatic updating. It works, but I'm still cautious. I will not open any attachment unless I'm expecting it and know what's in it. Knowing who sent you an unexpected attachment is worthless, as your best friend's computer might send you a virus without his knowledge.

Lately, hardly a day goes by that I don't get a virus-laden message or two from people I know. Certainly they wouldn't do it on purpose...would they? :(
 
I am going to re-emphasize a part of my earlier post on this thread

This worm has the ability to spoof, or forge, the 'From:' field. (Often set to an address found on the victim's machine). Additionally the virus can use a fabricated from address, by taking the name before the "@" sign of one address, and the domain name after the "@" sign of another address. (ie. name1@domain1.com + name2@domain2.com = name1@domain2.com) I received several of this particular "digest" message and the from address was different every time. One was addressed hitchhikers@verizon.net. In the "Hitsman" message you may not have noticed that only the "user" portion of the e-mail address was his, the domain portion being something totaly different.
It is unfair to lay blame on people just based on the From: Field. You have to dig further and see what the originating SMTP server was to confirm where the message originated from.

A prime example is the "kakibassi" messages. Yes the first part of the address is the same as kaki's but the "domain" portion is not. And the "Hitchhikers@strato.net" is NOT the Online Exchange address. Sure the first part is but not the last. So to say that it came from the Online Exchange is just plain wrong.

The whole purpose of this virus form is to lull you into a false sense of security.

Here is my rule of safe computing.

If you were not expecting the attachment, don't open it.

And before you open it, scan it first.

My recent version of McAfee Virus scan even interfaces with my version of Outlook 2000 and provides a button to click on to scan any attachments in my InBox. Do that first and then it will catch any viruses.

And for those wondering about the effectiveness of thier software. The list of virus definitoins grows daily. So even if you hve the most recent version, you can still get caught out.

Remember why they call them trojans. You have to open the door for them to work.
 
Originally posted by Merrill Grayson CPF:
It is unfair to lay blame on people just based on the From: Field.
A prime example is the "kakibassi" messages. Yes the first part of the address is the same as kaki's but the "domain" portion is not. And the "Hitchhikers@strato.net" is NOT the Online Exchange address. Sure the first part is but not the last. So to say that it came from the Online Exchange is just plain wrong.
[/QUOTE]

I don't want to be misconstrued as saying that I'm "accusing" anyone. I was simply reporting information. I think I have grasped the concept that these individuals aren't responsible for the bugs. Since a lot of us visit the same forums and receive email from some of the same sources, there obviously has to be a connection somewhere? I meant no harm.
Signed, Kathy the Defensive Grumbler :rolleyes:
 
Guys, perhaps I'm naive, but who can tell me what's the thinking behind building a virus bomb and then setting it off? What's in it for its creator? Just hurting others for the art of it sound gratuitous to me. If so, that tells much about the human nature.
 
Cornell,
More often than not it's because they can!

The more widespread the virus becomes the more "Press" it gets, the more "Press" it gets the more successful the Hacker. Sucks don't it.
 
I had that bug come in a week ago just as e-mail and Norton quarantined it as it came in and I then deleted, so beware it is out there in many forms. My Norton also scans all out going mail.
 
Such a waste of talent. Imagine of these kids were using their skills for something beneficial?

Mike
 
I've received one of these from various sources almost everyday for the last week. This morning there were no less than 6 emails with attachments with topics listed that were straight from recent hitchhiker posts. I have a firewall, a very recently updated Norton antivirus program, and my internet provider scans all my emails before I get them and destroys any with viruses. None of these protections caught any of today's obviously bogus emails. All the other's have have received were caught by one of my antivirus protections. I deleted all of the emails with attachments without opening them. Even the best security obviously doesn't always catch these things.
 
In the last two days, almost every email I have gotten that looks to be from HH has come through with an attachment. Is this happening to everyone else too? I've been afraid to open any of them, so I have deleted them all. None of my 3 virus protections have indicated any problems with them, but I still don't trust them. I decided to post this here because I wasn't sure if I could get through on the HH if there was a problem with it. :eek:
 
Anne, there are two ways to recognize the bogus HH mail. The size of the file should normally be small on the legitimate mail - not over 5 or 6k. A 69k file like the one I just received has an attachment and should be deleted. Also, the return address may look familiar - it might be made up of parts of HHers' email addresses. But, if you have filters set up to recognize mail from the OLEX list, it will dump the bogus mail into your junk folder or bulk mail folder depending on what email software you are using.

Your anti-virus software will probably not sound the alarm until you try and open an attachment. Reading the text body of the message will not normally trigger it. Since HH mail NEVER has an attachment, you'll know to stay away from those.
 
I decided to post this here because I wasn't sure if I could get through on the HH if there was a problem with it.
First, there is no problem with the Online Exchange. There are some people that have been in the past or are now subscribed that have contracted the bugbear worm.

No one will ever get an attachment from the Online Exchange.

Let me repeat that.

No one will ever get an attachment from the Online Exchange.

If you get a message that looks like it came from the Online Exchange that has an attachment, delete it.

I look at every message I get to try to narrow down who has the bug. About half come out of SMTP servers that I can not track back to subscribed users. When I can though I send a message to the possible infectee.
 
Back
Top