Bugbear Worm Topping Virus Charts
"It was such a nice and quiet year virus-wise, up until the
middle of September," lamented Mikko Hypponen, manager of anti-virus
research at F-Secure Corp.
Unfortunately (or fortunately, if youíre in the business of
selling anti-virus systems) the last few weeks have seen a
resurgence of inventive new worms, the latest of which, Bugbear, was
yesterday upgraded to "high risk" by a number of anti-virus vendors.
Depending on which vendor you talk to, the impact of Bugbear was
somewhere between "several hundred infections" and "millions of
e-mail users fall victim to attack!" The Outlook worm is either the
first or second most widespread virus, vendors said.
What appears to be remarkable about the virus, which arrives as
an attachment to an email, is that the body text of the email
apparently has perfect grammar and spelling, thus eliminating the
usual first warning sign that youíve received a virus.
"Most viruses look more virusy," said Network Associates Incís
virus research manager April Goostree. "Bugbear is spam-like." She
said there are about 40 different messages Bugbear can use, most of
which look like offers for free stuff.
Bugbear can infect a PC when the user clicks on the attachment,
or if they are running Internet Explorer that hasnít been patched
against the old IFrame vulnerability, which allows viruses to launch
themselves from the Outlook preview pane.
"Itís a very old exploit and most people have got the patch,"
said Goostree, who believes the author is probably based in
Singapore or Malaysia, where the first infections were reported on
The payload tries to install a keystroke logger and backdoor on
the victim PC, turn off anti-virus and firewall software and send
itself to addresses in the Outlook address book. It spoofs the From:
field of outgoing mail to make it look like somebody else is
infected, making it difficult to notify victims of their infection,
Bugbear also attempts to spread via open Windows network shares,
meaning even those smart enough to never click on suspicious
attachments could be infected. It also tries to print out several
pages of its own code if there is a printer attached to the infected
PC, though there doesnít seem to be any good reason for it to do