June 5, 2003 9:14 AM PDT
Bugbear variant mauls PCs
MessageLabs, which runs outsourced e-mail servers for 700,000 customers around the world, said it had filtered out 27,000 infected e-mails in 115 countries as of Thursday morning.
The first Bugbear worm spread rapidly last fall, creating about 320,000 infected messages in its first week, according to MessageLabs. This week has already seen another significant virus threat emerge with the spread of the Sobig virus, which has generated about 30,000 infected messages per day this week, according to MessageLabs.
Like the first worm, Bugbear.B is a mass-mailing virus that infects Windows PCs. After it infects a PC, the virus searches the machine for e-mail addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the e-mail program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual e-mails are coming from and makes it difficult to alert someone that his or her system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.
Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing a large amount of raw binary data.
More dangerously, the virus installs a keylogger that records what the person types--a method of capturing passwords--and a Trojan horse back door, communicating on port 1080, which allows an attacker to take control of the system.
The virus uses a flaw in the way Microsoft Outlook formats e-mail using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than two years old, some users have still not fixed the problem.
The Bugbear.B variant--also known as W32/Kimjo.A-mm and W32.Shamur--is expected to spread widely over the next couple of days, before consumers become aware of it, antivirus vendors update their software and people subsequently install the new patches.