Focus: Bear bugs computers around the world

28 October 2002

Fighting the good fight: Precious Ndlovu (left), part of Helpdesk's On-Site Support, and Faghmie Davids (Telephonic Support) were among those called in to contend with the recent attack by the Bugbear/Tanatos virus at UCT.

ARLENE Hanmer, HEAT Administrator at Information & Communication Technology Services (ICTS), was enjoying her first day as backup Anti-Virus Administrator when she received notification from UCT's IT security provider, F-Secure, that a virus, known as the "Bugbear/Tanatos Worm", had hit Asia, the United States and Europe, and was likely to wiggle its deleterious way to South Africa on the next email.

The very next day, Hanmer recalls, the first calls started coming in to the Helpdesk from the Faculty of Law reporting problems with printers spewing reams of garbage. A detailed check by an ICTS Network and Operating Systems (NOS) consultant, and it became clear that these hitches were related to "Bugbear".

Over the next two weeks, Helpdesk personnel were running around campuses sorting out problems, the Helpdesk itself was swamped with calls, NOS had their hands full with clogged printer queues, and "Bugbear" very soon infected the Bremner, Cormack, Curie and Protem servers. All this in addition to the usual array of queries and bays for help.

"Bugbear", explains Hanmer, is a virus that comes in as an email attachment, using random subject and attachment names – like “Your Gift” – and file extensions to dupe unwitting mail readers into unleashing the worm's lethal payload. The virus is activated once the user logs on, and then starts deactivating security software and emailing itself to people in the user's address books.

Among its many dastardly deeds, the virus clogs up network printer queues – as happened at UCT – printing out gibberish and preventing all other print jobs from printing. It can also allow the virus' author or hacker access to the user's local files, and may even record the user's keystrokes to capture passwords and credit card details.

While waiting a suitable update and a fix from F-Secure, ICTS staff members were researching their own procedure to deter "Bugbear", with varying degrees of success. Since the F-Secure update has been distributed across Campus, however, the virus appears to have been contained (although predictions are that it, like the Klez Virus, will be around for some time, somewhere in the world).

But for now, all is quiet on the virus front at UCT, says Hanmer. “The thing about these viruses is that they are very demanding, on personnel and time,” she adds.

Anyone concerned that their PCs may be infected – has your purple triangular F-Secure Manager logo gone missing? – are urged to visit the ICTS website or contact the Helpdesk at extension 4500 or via email at

Creative Commons License This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

Please view the republishing articles page for more information.