New version of Bugbear mauling users

A new version of the Bugbear virus is spreading quickly on the Internet, according to alerts posted by leading anti-virus companies.

The new variant, called Bugbear.B, was first detected on Thursday and shares many of the same characteristics as the first Bugbear virus, that appeared in September, 2002 and was also known as Tanatos, according to Helsinki, Finland-based antivirus company F-Secure.

At least one antivirus company, Network Associates, has upgraded its rating on the new virus to "high", the first virus since Slammer to achieve that rating, according to a spokesperson for the company's McAfee business unit.

Like the first Bugbear virus, the Bugbear.B is an email worm, that spreads by sending copies of itself out as attachments in email messages.

Like its predecessor, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Outlook, Outlook Express and Internet Explorer that allows attachments to be automatically opened when the email containing them is opened, according to anti-virus company, Sophos.

Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications and opening a back door that could be used by hackers, according to Sophos.

Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects.

The Bugbear.B virus arrives in email messages with a variety of subjects such as "Your news Alert", "Your Gift", "click on this!" and "cows". In addition to pulling subjects from a list it maintains internally, the virus randomly excerpts content from files on the hard drives of computers it infects and uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee AVERT.

Like the subject line, the email attachment containing the virus code also uses a variety of names chosen from a list maintained by the worm or grabbed from files on the infected host computer.

Attachments used a variety of file extensions including ".exe," ".scr" and "pif" and names such as "readme", "setup", "photo", and "news", F-Secure said.

Bugbear.B also contained address spoofing features that enabled it to pull email addresses skimmed from files on the infected computer and insert them in the "From" line of the emails it sends out, Emm said.

Recipients might be tricked into opening the message from a trusted source, and could also be fooled into thinking that the sender's machine had been infected with Bugbear.B, when another machine was really the source, he said.

Unlike the first Bugbear virus, however, the new variant was "polymorphic" meaning that it was capable of subtly changing the way the virus code was encrypted to fool antivirus software, Emm said.

"There's a potential danger with polymorphic viruses that if you don't construct your virus detector properly, you could miss some samples," he said.

McAfee AVERT first detected the new Bugbear variant on Wednesday, upgrading it to a medium risk and then to a high risk on Thursday as the number of reported infections mounted.

Other antivirus companies, including Symantec and F-Secure, continued to rate Bugbear.B as a moderate risk early Thursday.

The sheer number of actions taken by the virus after it infected machines, including its ability to squelch antivirus software, install a backdoor on machines and infect common application executable files, which then reinfected machines when they were opened, made disinfecting machines hit with the virus more complex than with previous viruses, Emm said.

Antivirus companies recommended that customers update their antivirus software to protect against Bugbear.B. Instructions and tools for removing the virus from infected machine were also provided by leading antivirus vendors.

Join the newsletter!

Error: Please check your email address.

More about AvertF-SecureMcAfee AustraliaMicrosoftSophosSymantec

Show Comments

Market Place

[]