The Bugbear virus is rapidly spreading around the world, according to alerts issued by antivirus companies and computer security experts. The virus first appeared Monday and has since spread rapidly.
The virus is sent as an e-mail attachment with a variety of subject lines including "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift." Code in the virus generates random attachment names and subject lines to avoid easy detection by antivirus software and assigns multiple file extensions to the virus to disguise the fact that it is an executable file, according to Vincent Gullotto, vice president of the McAfee AVERT (Anti-Virus Emergency Response Team) at Network Associates Inc.
Once activated, the virus shuts down vital processes used by antivirus and firewall software, records user keystrokes to capture passwords, sends copies of itself as e-mail attachments, and copies itself on to directories shared by networks that are accessible to the computers it infects.
The virus appears to be able to randomly forward copies of itself as attachments to old e-mail messages on the computers it infects to randomly selected third parties, according to a statement released by F-Secure Corp. of Helsinki. In addition to propagating the virus, this feature discloses otherwise personal e-mail correspondence to third parties.
As it attempts to access shared directories on computer networks, the virus may also send copies of itself to shared network printers, which will begin printing the binary code of the virus executable, according to F-Secure.
Finally, Bugbear opens a backdoor to the machines that it infects. Using a Web browser, the virus author or malicious hackers can access a Web interface created by the virus, browse local files on an infected machine and execute programs on that machine, according to F-Secure.
While initial reports indicated that Bugbear's code might have contained flaws that prevented it from being able to mail itself out to new recipients, the rapid spread of the virus over the past two days seems to be proof that the virus is more than capable of reproducing itself.
Symantec Corp. announced Wednesday that it was upgrading Bugbear to a level four virus on a scale of one to five, with five being the most serious. Symantec pointed to a rapid increase in reports of the virus from customers, from 157 submissions on Tuesday to more than 2,000 by Wednesday morning.
In its statement, F-Secure indicated that incidents of the Bugbear infection had surpassed incidents of infection by the Klez virus, which had been the most widely circulated virus of 2002.
Reports of new infections are higher in Europe and Asia than in the U.S., according to Chris Wraight, technology consultant at antivirus software maker Sophos PLC. Bugbear is a far less formidable threat than predecessors like Klez, Wraight said.
"We're still looking at infections in the thousands. At this point with (the Klez virus) we were talking about millions of infections," Wraight said.
Leading antivirus software vendors have posted updated virus definitions covering the Bugbear worm. Antivirus software vendors are encouraging customers whose computers have not yet been infected to update their antivirus software.
Customers whose computers have been infected need to remove all files related to the virus from their machines and are encouraged to update any passwords that might have been exposed to the virus, according to F-Secure.
Another menace on the loose this week is a worm dubbed Opaserv, which exploits the Windows file-sharing protocol SMB for copying information over to another machine. Opaserv opens a backdoor to connect to a Web site, www.opasoft.com, so the attacker can send files to it. "We don't know much about this because the machine was taken down," Tony Magallanez, engineer at security firm F-Secure says.
- Additional reporting by Ellen Messmer.