bugbear.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#
# This script was written by Michel Arboi <arboi@alussinan.org>
# Well, in fact I started from a simple script by Thomas Reinke and 
# heavily hacked every byte of it :-]
#
# GPL
#
# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <eanders@carmichaelsecurity.com>
#      Added links to the Bugtraq message archive and Microsoft Knowledgebase
#
# There was no information on the BugBear protocol. 
# I found a worm in the wild and found that it replied to the "p" command;
# the data look random but ends with "ID:"  and a number
# Thomas Reinke confirmed that his specimen of the worm behaved in the 
# same way. 
# We will not provide the full data here because it might contain 
# confidential information.
# 
# References:
#
# Date: Tue, 1 Oct 2002 02:07:29 -0400
# From:"Russ" <Russ.Cooper@RC.ON.CA>
# Subject: Alert:New worms, be aware of internal infection possibilities
# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
#

if(description)
{
 script_id(11135);
 if(defined_func("script_xref"))script_xref(name:"IAVA", value:"2001-a-0004");
 script_bugtraq_id(2524);
 script_cve_id("CVE-2001-0154"); # For MS01-020 - should be changed later
 script_version ("$Revision: 118 $");
 name["english"] = "Bugbear worm";
 name["francais"] = "Ver Bugbear";

 script_name(english:name["english"], francais: name["francais"]);
 
 desc["english"] = "
BugBear backdoor is listening on this port. 
A cracker may connect to it to retrieve secret 
information, e.g. passwords or credit card numbers...

The BugBear worm includes a key logger and can kill 
antivirus or personal firewall softwares. It propagates 
itself through email and open Windows shares.
Depending on the antivirus vendor, it is known as: Tanatos, 
I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, 
WORM_BUGBEAR.A, Win32.BugBear...

http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
http://www.ealaddin.com/news/2002/esafe/bugbear.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
http://vil.nai.com/vil/content/v_99728.htm

Reference : http://online.securityfocus.com/news/1034
Reference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&

Solution: 
- Use an Anti-Virus package to remove it.
- Close your Windows shares
- Update your IE browser 
  See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'
  http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

Risk factor : Critical";

 desc["francais"] = "
La backdoor BugBear 閏oute sur ce port.
Un pirate peut se connecter dessus pour retrouver des informations
secr鑤es, par exemple des mots de passe ou des num閞os de carte de
cr閐it...

Le ver BugBear inclut un 'key logger' et peut tuer les logiciels
antivirus ou firewalls personnels. Il se propage via le courrier
閘ectronique ou les partages Windows ouverts.
Selon le vendeur d'antivirus, il est aussi nomm