Bugbear Virus Returns in Variant

A new version of the Bugbear virus is spreading quickly on the Internet, according to alerts posted by leading antivirus companies.

The new variant, called Bugbear.B, was first detected on Thursday and shares many characteristics with the first Bugbear virus, which appeared in September 2002 and was also known as Tanatos, according to antivirus company F-Secure.

At least one antivirus company, Network Associates, has upgraded its rating on the new virus. Bugbear.B is rated to be of "high" danger, the first virus since Slammer to achieve that rating, according to a spokesperson for Network Associates' McAfee business unit.

Targeting Outlook

Like the first Bugbear virus, Bugbear.B is an e-mail worm, which spreads by sending copies of itself out as attachments in e-mail messages.

As its predecessor did, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Outlook, Outlook Express, and Internet Explorer. The products enable attachments to automatically open when a recipient opens the e-mail containing them, according to Sophos, another antivirus company.

Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects, while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications, and opening a back door that hackers could use, according to Sophos.

Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects, Sophos says.

The Bugbear.B virus arrives in e-mail messages with a variety of subjects such as "Your news Alert," "Your Gift," "click on this!" and "cows."

Besides pulling subjects from a list it maintains internally, the virus randomly excerpts content from files on the hard drives of computers it infects, and it uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee AVERT.

Like the subject line, the e-mail attachment containing the virus code also uses a variety of names chosen from a list that the worm maintains, or grabbed from files on the infected host computer.

Bugbear attachments use a variety of file extensions, according to F-Secure. Among those already identified are .exe, .scr, and .pif, and names such as "readme," "setup," "photo," and "news."

Sender Disguised

Bugbear.B also contains address-spoofing features that enable it to pull e-mail addresses skimmed from files on the infected computer and to insert them in the From line of the e-mail messages it sends out, McAfee's Emm says.

Recipients might be tricked into opening the message that seems to come from a trusted source, and can also be fooled into thinking that the sender's PC has been infected with Bugbear.B, when another machine is really the source, he says.

Unlike the first Bugbear virus, however, the new variant is "polymorphic," meaning that it is capable of subtly changing the way the virus code is encrypted to fool antivirus software, Emm adds.

"There's a potential danger with polymorphic viruses, that if you don't construct your virus detector properly, you could miss some samples," he says.

McAfee AVERT first detected the new Bugbear variant on Wednesday, upgrading it to a "Medium" risk and then to a "High" risk on Thursday as the number of reported infections mounted.

Other antivirus companies, including Symantec and F-Secure, continued to rate Bugbear.B as a moderate risk early Thursday.

The sheer number of actions taken by the virus after it infects systems makes disinfecting the PCs more complex than with previous viruses, Emm says. Removal is complicated by Bugbear.B's capability to squelch antivirus software, to install a back-door program on machines, and to infect common application executable files, which then reinfect machines when they are opened.

Antivirus companies recommend that customers update their antivirus software to protect against Bugbear.B. Instructions and tools for removing the virus from an infected system are also available from leading antivirus vendors.