Bugbear B

New version of Bugbear mauling users

Paul Roberts, IDG News Service\Boston Bureau
June 05, 2003, 08:50

A new version of the Bugbear virus is spreading quickly on the Internet, according to alerts posted by leading antivirus companies.

The new variant, called Bugbear.B, was first detected on Thursday and shares many of the same characteristics as the first Bugbear virus, which appeared in September, 2002 and was also known as "Tanatos," according to Helsinki, Finland-based antivirus company F-Secure Corp. [See "Bugbear virus spreading rapidly," Oct. 2]

At least one antivirus company, Network Associates Inc., upgraded its rating on the new virus to "high," the first virus since Slammer to achieve that rating, according to a spokeswoman for Network Associates' McAfee business unit.

Like the first Bugbear virus, the Bugbear.B is an e-mail worm, which spreads by sending copies of itself out as attachments in e-mail messages.

Like its predecessor, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Corp.'s Outlook, Outlook Express and Internet Explorer products that enable attachments to be automatically opened when the e-mail containing them is opened, according to antivirus company Sophos PLC.

Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications and opening a back door that could be used by hackers, according to Sophos.

Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects, Sophos said.

The Bugbear.B virus arrives in e-mail messages with a variety of subjects such as "Your news Alert," "Your Gift," "click on this!" and "cows."

In addition to pulling subjects from a list it maintains internally, the virus randomly excerpts content from files on the hard drives of computers it infects and uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee AVERT.

Like the subject line, the e-mail attachment containing the virus code also uses a variety of names chosen from a list maintained by the worm or grabbed from files on the infected host computer.

Attachments use a variety of file extensions including ".exe," ".scr" and ".pif," and names such as "readme," "setup," "photo," and "news," according to F-Secure.

Bugbear.B also contains address spoofing features that enables it to pull e-mail addresses skimmed from files on the infected computer and insert them in the "From" line of the e-mails it sends out, Emm said.

Recipients might be tricked into opening the message from a trusted source, and can also be fooled into thinking that the sender's machine has been infected with Bugbear.B, when another machine is really the source, he said.

Unlike the first Bugbear virus, however, the new variant is "polymorphic," meaning that it is capable of subtly changing the way the virus code is encrypted to fool antivirus software, he said.

"There's a potential danger with polymorphic viruses that if you don't construct your virus detector properly, you could miss some samples," he said.

McAfee AVERT first detected the new Bugbear variant on Wednesday, upgrading it to a "Medium" risk and then to a "High" risk on Thursday and the number of reported infections mounted.

Other antivirus companies, including Symantec Corp. and F-Secure continued to rate Bugbear.B as a moderate risk early Thursday.

The sheer number of actions taken by the virus after it infects machines, including its ability to squelch antivirus software, install a backdoor on machines and infect common application executable files, which then reinfect machines when they are opened, makes disinfecting machines hit with the virus more complex than with previous viruses, Emm said.

Antivirus companies recommended that customers update their antivirus software to protect against Bugbear.B. Instructions and tools for removing the virus from infected machine were also provided by leading antivirus vendors.

From: http://www.idg.net/i...716_1-5046.html