Bugbear virus, a bugaboo for PCs, spreading rapidly

The Bugbear virus is spreading quickly around the world since it first appeared on Monday, according to alerts issued by antivirus companies and computer security experts.

The virus comes as an e-mail attachment with a variety of subject lines including "bad news," "Membership Confirmation," "Market Update Report" and "Your Gift." Code in the virus generates random attachment names and subject lines to avoid easy detection by antivirus software and assigns multiple file extensions to the virus to disguise the fact that it is an executable file, according to Vincent Gullotto, vice president of the McAfee Anti-Virus Emergency Response Team at Network Associates Inc. in Santa Clara, Calif.

Once activated, the virus shuts down vital processes used by antivirus and firewall software, records user keystrokes to capture passwords, sends copies of itself as e-mail attachments, and copies itself onto directories shared by networks that are accessible to the computers it infects.

The virus appears to forward copies of itself as attachments to old e-mail messages on the computers it infects to randomly selected third parties, according to a statement released by F-Secure Corp. in Helsinki, Finland. In addition to propagating the virus, this feature discloses otherwise personal e-mail correspondence to third parties.

As it attempts to access shared directories on computer networks, the virus may also send copies of itself to shared network printers, which then begin printing the binary code of the virus executable, according to F-Secure.

Finally, Bugbear opens a back door to the machines that it infects. Using a Web browser, the virus author or malicious hackers can access a Web interface created by the virus, browse local files on an infected machine and execute programs on that machine, according to F-Secure.

While initial reports indicated that Bugbear's code might have contained flaws that prevented it from being able to mail itself out to new recipients, the rapid spread of the virus in the past two days indicates the virus is more than capable of reproducing itself.

Symantec Corp. announced today that it's upgrading Bugbear to a Level-four virus, on a scale of one to five, with five being the most serious. Cupertino, Calif.-based Symantec pointed to a rapid increase in reports of the virus from customers, from 157 submissions yesterday to more than 2,000 by this morning.

In its statement, F-Secure indicated that incidents of the Bugbear infection had surpassed incidents of infection by the Klez virus, which had been the most widely circulated virus this year.

Reports of new infections are higher in Europe and Asia than in the U.S., according to Chris Wraight, technology consultant at antivirus software maker Sophos PLC in Oxford, England. Bugbear is a far less formidable threat than predecessors like Klez, Wraight said.

"We're still looking at infections in the thousands. At this point with [the Klez virus] we were talking about millions of infections," Wraight said.

Leading antivirus software vendors have posted updated virus definitions covering the Bugbear worm. Antivirus software vendors are encouraging customers whose computers haven't yet been infected to update their antivirus software.

Customers whose computers have been infected need to remove all files related to the virus from their machines and are encouraged to update any passwords that might have been exposed to the virus, according to F-Secure.


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon