Technology Public Relations   




Getting It Done

On My Mind

Contact Info

Other Stuff 



Friday October 4th 2002
Daily News

Bugbear Worm Topping Virus Charts

"It was such a nice and quiet year virus-wise, up until the middle of September," lamented Mikko Hypponen, manager of anti-virus research at F-Secure Corp.

Unfortunately (or fortunately, if youíre in the business of selling anti-virus systems) the last few weeks have seen a resurgence of inventive new worms, the latest of which, Bugbear, was yesterday upgraded to "high risk" by a number of anti-virus vendors.

Depending on which vendor you talk to, the impact of Bugbear was somewhere between "several hundred infections" and "millions of e-mail users fall victim to attack!" The Outlook worm is either the first or second most widespread virus, vendors said.

What appears to be remarkable about the virus, which arrives as an attachment to an email, is that the body text of the email apparently has perfect grammar and spelling, thus eliminating the usual first warning sign that youíve received a virus.

"Most viruses look more virusy," said Network Associates Incís virus research manager April Goostree. "Bugbear is spam-like." She said there are about 40 different messages Bugbear can use, most of which look like offers for free stuff.

Bugbear can infect a PC when the user clicks on the attachment, or if they are running Internet Explorer that hasnít been patched against the old IFrame vulnerability, which allows viruses to launch themselves from the Outlook preview pane.

"Itís a very old exploit and most people have got the patch," said Goostree, who believes the author is probably based in Singapore or Malaysia, where the first infections were reported on September 30.

The payload tries to install a keystroke logger and backdoor on the victim PC, turn off anti-virus and firewall software and send itself to addresses in the Outlook address book. It spoofs the From: field of outgoing mail to make it look like somebody else is infected, making it difficult to notify victims of their infection, Goostree said.

Bugbear also attempts to spread via open Windows network shares, meaning even those smart enough to never click on suspicious attachments could be infected. It also tries to print out several pages of its own code if there is a printer attached to the infected PC, though there doesnít seem to be any good reason for it to do this.