Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

W32.BugBear sigs

Anyone have any sigs or network dumps of the bugbear worm/its traffic thats going around now?


New Member

Re: W32.BugBear sigs

Did you get any responses? I'd like to have them if you did. I'm thinking SANS, EEYE, or CERT may have them available.


New Member

Re: W32.BugBear sigs

I submitted a TAC Case on this issue and was told by the engineer that contacted me that Cisco has no plans to add a specific signature to capture the BugBear virus. Three days later they released Signature Update 3.1(3)S33. Below is a description of the signature in question from the Cisco Alert.

"Signature 9023 has been added to address the backdoor created by the

W32.Bugbear worm. The signature will fire if a SYN packet is detected destined for TCP port 36794. Any activity on this port may indicate an attacker accessing the Bugbear backdoor. This signature is disabled by default. You can only apply this signature update to IDS-42xx and NRS-xx series Cisco Intrusion Detection System (IDS) sensors. It is not compatible with the WS-X6381-IDS series Intrusion Detection System Module (IDSM). "

Note that this signature is disabled by default (all action codes are set to "0" in packetd.conf), therfore set the action codes to a value higher than 0 and higher than your MinContextLevel to see attempts to access the backdoor port by BugBear.


Re: W32.BugBear sigs

Here is an example signature converted from a proposed Snort signature that supposedly fires on the Bugbear worm. It has not been tested. Nor will it be supported or included in a signature update. It may false positive and cause a performance hit on your sensors.

Also, we did release a signature for the BugBear backdoor port in S33. It was a miscommunication that we would not create a signature for that. However, we do not generally write signatures for email born virues like BugBear itself. We believe that anti-virus is the best solution for mitigating these kinds of problems.


Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: Bugbear Worm


0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort = 25

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = PSH ACK

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = Bugbear Worm

14 - SigStringInfo =

15 - SinglePacketRegex =


16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = PSH ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue


New Member

Re: W32.BugBear sigs

I have been looking for the BUGBEAR signature in the S33 Sig update but have not been able to find it. Can you give the SIGID for the BUGBEAR signature?



Re: W32.BugBear sigs

9023. It is just an alarm that can be turned to warn of possible scanning for or usage of the backdoor left by the Bugbear worm.

CreatePlease to create content