BugBear.B backdoor is listening on this port.
A cracker may connect to it to retrieve secret
information, e.g. passwords or credit card numbers...

The BugBear.B worm includes a key logger and can kill
antivirus or personal firewall softwares. It propagates
itself through email and open Windows shares.

Solution:
- Use an Anti-Virus package to remove it.
- Close your Windows shares
- See http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.tool.html

Risk factor : Critical
Copyright This script is Copyright (C) 2003 Tenable Network Security

Classification

Risk: –
CVSS: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Port: 81
Family: Backdoors
Dependencies: "http_version.nasl"
Description

Your system seems to be infected by the Bugbear.B virus
(its backdoor has been detected on port 81).
Sources

CVE: –
OSVDB: –
Bugtraq: –
Plugin

Filename: bugbear_b.nasl
Version: 1.7
Identification: –

Content:
#
# (C) 2003 StrongHoldNet
#
# Licence : GPL v2
#
# Modifications by rd:
# -> Try every web server, not just port 81
#
# UNTESTED


include("compat.inc");

if (description)
{
script_id(11707);
script_version ("$Revision: 1.7 $");

script_name(english:"Bugbear.B Web Backdoor Detection");

script_set_attribute(attribute:"synopsis", value:
"The remote host is compromised." );
script_set_attribute(attribute:"description", value:
"Your system seems to be infected by the Bugbear.B virus
(its backdoor has been detected on port 81)." );
script_set_attribute(attribute:"see_also",
value:"http://www.f-secure.com/v-descs/bugbear_b.shtml" );
script_set_attribute(attribute:"solution", value:
"Use your favorite antivirus to disinfect your system.
Standalone disinfection tools also exist :
ftp://ftp.f-secure.com/anti-virus/tools/f-bugbr.zip" );
script_set_attribute(attribute:"cvss_vector", value:
"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C" );
script_set_attribute(attribute:"plugin_publication _date", value:
"2003/06/09");
script_end_attributes();

script_summary(english:"Checks for Bugbear.B web backdoor");
script_category(ACT_GATHER_INFO);
script_family(english:"Backdoors");
script_copyright(english:"This script is Copyright (C) 2003-2010
StrongHoldNet");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 81);
exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:81);
if(!port)exit(0);

if(!get_port_state(port))exit(0);
url = '/%NETHOOD%/';
req = http_get(item:url, portort);
buf = http_keepalive_send_recv(portort, data:req);
if( buf NULL ) exit(0);
if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:buf) && "Microsoft Windows
Network" >< buf) security_hole(port);
==
crash4x4.my1.ru