New version of Bugbear mauling users

A new version of the Bugbear virus is spreading quickly on the Internet, according to alerts posted by leading antivirus companies.

The new variant, called Bugbear.B, was first detected on Thursday and shares many of the same characteristics as the first Bugbear virus, which appeared in September, 2002 and was also known as "Tanatos," according to Helsinki, Finland-based antivirus company F-Secure Corp.

At least one antivirus company, Network Associates Inc., upgraded its rating on the new virus to "high," the first virus since Slammer to achieve that rating, according to a spokeswoman for Network Associates' McAfee business unit.

Like the first Bugbear virus, the Bugbear.B is an e-mail worm, which spreads by sending copies of itself out as attachments in e-mail messages.

Like its predecessor, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Corp.'s Outlook, Outlook Express and Internet Explorer products that enables attachments to be automatically opened when the e-mail containing them is opened, according to antivirus company Sophos PLC.

Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications and opening a back door that could be used by hackers, according to Sophos.

Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects, Sophos said.

The Bugbear.B virus arrives in e-mail messages with a variety of subjects such as "Your news Alert," "Your Gift," "click on this!" and "cows."

In addition to pulling subjects from a list it maintains internally, the virus randomly excerpts content from files on the hard drives of computers it infects and uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee AVERT.

Like the subject line, the e-mail attachment containing the virus code also uses a variety of names chosen from a list maintained by the worm or grabbed from files on the infected host computer.

Attachments use a variety of file extensions including ".exe," ".scr" and "pif," and names such as "readme," "setup," "photo," and "news," according to F-Secure.

Bugbear.B also contains address spoofing features that enables it to pull e-mail addresses skimmed from files on the infected computer and insert them in the "From" line of the e-mails it sends out, Emm said.

Recipients might be tricked into opening the message from a trusted source, and can also be fooled into thinking that the sender's machine has been infected with Bugbear.B, when another machine is really the source, he said.

Unlike the first Bugbear virus, however, the new variant is "polymorphic," meaning that it is capable of subtly changing the way the virus code is encrypted to fool antivirus software, he said.

"There's a potential danger with polymorphic viruses that if you don't construct your virus detector properly, you could miss some samples," he said.

McAfee AVERT first detected the new Bugbear variant on Wednesday, upgrading it to a "Medium" risk and then to a "High" risk on Thursday and the number of reported infections mounted.

Other antivirus companies, including Symantec Corp. and F-Secure continued to rate Bugbear.B as a moderate risk early Thursday.

The sheer number of actions taken by the virus after it infects machines, including its ability to squelch antivirus software, install a backdoor on machines and infect common application executable files, which then reinfect machines when they are opened, makes disinfecting machines hit with the virus more complex than with previous viruses, Emm said.

Antivirus companies recommended that customers update their antivirus software to protect against Bugbear.B. Instructions and tools for removing the virus from infected machine were also provided by leading antivirus vendors.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?