Bugbear set to stick around

The latest worm, which is still proliferating, may not go away any time soon unless millions of users can be convinced to update their antivirus software

The Bugbear email worm continued to top the virus charts over the weekend, but even though antivirus experts said that it may now be peaking there are signs it won't fade away any time soon.

UK email service provider Messagelabs, which hosts email servers around the world, said it intercepted 66,000 messages infected with Bugbear on Friday, with levels falling to 35,000 on Saturday and 34,000 on Sunday as business users logged off.

"So far today, it looks like there will be less Bugbear than last week, but we haven't had the United States wake up yet," said Alex Shipp, senior antivirus technologist with Messagelabs. "There are still pretty high levels. We expect to have stopped several tens of thousands by the end of the day."

Shipp said that most users do not appear to be upgrading their antivirus software unless they are aware of an infection. This pattern emerged with the Klez virus, variants of which have lingered at the top of Messagelabs' charts since this spring. With the publicity surrounding Bugbear, many Klez victims finally downloaded new software and banished the older worm, but many more have been left vulnerable to Bugbear.

Since Bugbear exhibits few symptoms on an infected computer, users may not even take precautions after they have been attacked, Shipp said.

Known technically as W32.Bugbear or I-Worm.Tanatos, experts now believe the virus to be a modified version of the earlier Badtrans worm. It installs a backdoor that can be used by hackers to take control of the computer, disables various antivirus measures and any personal firewall that might be present and installs a program for recording keystrokes -- which can log any passwords typed in by the user. It scours the computer for email addresses, to which it sends infected messages via its own email engine. The virus only affects Windows machines.

Antivirus experts had been concerned about a secondary wave of attacks as hackers take advantage of the backdoors that Bugbear has installed in thousands of computers, but it now seems that this risk is lower than originally thought.

"To exploit the backdoor, an attacker would need knowledge of how it works," Shipp said. "It's difficult to find that out by typing random commands, so the ability to use the backdoor may be limited to the virus author. But that might change if he decides to publish the details of the backdoor on the Web."

He noted that the backdoor could be reverse-engineered by other hackers, but that this would take some time. Messagelabs has installed "honeypots" -- computers posing as Bugbear-infected PCs -- but so far has not detected any hackers scanning for Bugbear's backdoor vulnerability.

For more information on protecting your PC from Bugbear, and links to antivirus vendors, see ZDNet's Help & HowTo on Bugbear.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.