New Bugbear worm strikes

Computer Associates expert Jakub Kaminsky on Wednesday confirmed the company's anti-virus laboratories had received their first sample of the variant from an Australian user late on Thursday afternoon, Australian time, but had seen nothing from their customers since.

Other security firms have also discovered the new worm "in the wild", or affecting computers outside the lab. IDefense first found Bugbear.B in Australia and the US on Wednesday, and said it has since gained ground rapidly. Messagelabs, which runs outsourced email servers for 700,000 customers around the world, said it had filtered out 190 emails infected with the worm in 20 countries as of Thursday morning at 10 a.m. BST, but the number had risen to 1,654 in 56 countries by 11 a.m.

The first Bugbear worm spread rapidly last autumn, creating about 320,000 infected messages in its first week, according to MessageLabs. This week has already seen another significant virus threat emerge with the spread of W32/Sobig.C-mm, which has generated about 30,000 infected messages per day this week, according to MessageLabs.

Like the first worm, Bugbear.B is a mass-mailing virus that infects Windows PCs. After it infects a PC, the virus searches the machine for email addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the email program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual emails are coming from and makes it difficult to alert someone that their system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.

Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing a large amount of raw binary data.

More dangerously, the virus installs a keylogger that records what the user types -- a method of capturing passwords -- and a Trojan horse backdoor, communicating on port 1080, which allows an attacker to take control of the system.

The virus uses a flaw in the way Microsoft Outlook formats email using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than two years old, some users have still not fixed the problem.

Computer Associates' Kaminsky said that reporting of the virus was likely to increase over the next few hours as European and United States residents awoke and accessed their email inboxes. "Probably tomorrow, we should have more records from Australian users," he told ZDNet Australia .

He predicted that the variant -- also known as W32/Kimjo.A-mm and W32.Shamur -- would spread widely over the next couple of days, before increased consumer awareness, anti-virus vendors updating their offerings and users subsequently installing new patches slowed its progress.

While home users face the greater individual threat from the variant, the infection of a large corporate network would see it "truly spread like wildfire" due to its propensity to try to propagate through email addresses found by searching through specific files, and to spread over a network, Kaminsky said. However, most companies who are up to scratch with their virus defenses automatically block the file extension types through which the variant is delivered -- .pif, .scr and .exe.

Kaminsky said blocking any executable attachment -- particularly with double extensions, which characterise both the original BugBear and its variant -- was "a good idea" and a natural precaution for companies.

CNET News.com's Robert Lemos contributed to this report.