X
Business

New Bugbear worm races up virus charts

Update: A variant on the fast-spreading Bugbear worm has emerged near the top of security firms' virus charts after appearing in the US and Australia overnight, with the UK particularly badly affected
Written by Iain Ferguson, Contributor and  Matthew Broersma, Contributor

A new variant of the Bugbear virus -- Win32.Bugbear.B -- has emerged and threatens corporate and home computer systems, according to antivirus experts. The worm has spread quickly during the day, hitting the UK particularly hard, according to data from email provider MessageLabs.

Computer Associates expert Jakub Kaminsky on Wednesday confirmed the company's antivirus laboratories had received their first sample of the variant from an Australian user late on Thursday afternoon, Australian time.

Security firm iDefense first found Bugbear.B in Australia and the US on Wednesday, and said it has since gained ground rapidly. MessageLabs, which runs outsourced email servers for 700,000 customers around the world, said it has labelled the worm "high risk", and reported more than 22,000 infections in 110 countries as of 4.20 p.m. BST. At that time, 16 percent of the cases were in the UK.

MessageLabs said the worm was the second most rapidly spreading on its charts, narrowly trailing W32/Sobig.C-mm, which also emerged this week.

The first Bugbear worm spread rapidly last autumn, creating about 320,000 infected messages in its first week, according to MessageLabs. This week has already seen another significant virus threat emerge with the spread of W32/Sobig.C-mm, which has generated about 30,000 infected messages per day this week, according to MessageLabs.

Like the first worm, Bugbear.B is a mass-mailing virus that infects Windows PCs. After it infects a PC, the virus searches the machine for email addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the email program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual emails are coming from and makes it difficult to alert someone that their system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.

Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing a large amount of raw binary data.

More dangerously, the virus installs a keylogger that records what the user types -- a method of capturing passwords -- and a Trojan horse backdoor, communicating on port 1080, which allows an attacker to take control of the system.

The virus uses a flaw in the way Microsoft Outlook formats email using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than two years old, some users have still not fixed the problem.

Computer Associates' Kaminsky said that reporting of the virus was likely to increase over the next few hours as European and United States residents awoke and accessed their email inboxes. "Probably tomorrow, we should have more records from Australian users," he told ZDNet Australia.

He predicted that the variant -- also known as W32/Kimjo.A-mm and W32.Shamur -- would spread widely over the next couple of days, before increased consumer awareness, anti-virus vendors updating their offerings and users subsequently installing new patches slowed its progress.

While home users face the greater individual threat from the variant, the infection of a large corporate network would see it "truly spread like wildfire" due to its propensity to try to propagate through email addresses found by searching through specific files, and to spread over a network, Kaminsky said. However, most companies who are up to scratch with their virus defenses automatically block the file extension types through which the variant is delivered -- .pif, .scr and .exe.

Kaminsky said blocking any executable attachment -- particularly with double extensions, which characterise both the original BugBear and its variant -- was "a good idea" and a natural precaution for companies.

CNET News.com's Robert Lemos contributed to this report.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards