Bugbear Virus Still Running Wild

More than 21,000 copies of the virus have appeared in the past day.

Three days after its appearance, the Bugbear virus is still gaining momentum and has passed the venerable Klez virus as the most active in the past 24 hours.

One company that tracks viruses, Message Labs Ltd., said it has seen more than 21,000 copies of Bugbear in the last day, nearly twice the number of Klez-infected messages its seen during the same period. Klez, however, is still by far the most active virus of the month and year so far.

Bugbear first hit the Internet late Sunday and has been spreading steadily ever since. In fact, F-Secure Corp., a Finnish anti-virus company, on Wednesday upgraded its alert level on Bugbear to Level 1, which is reserved for epidemic-level viruses such as Loveletter and Nimda.

Symantec Corp. has also upgraded Bugbear to a Level 4 threat, with Level 5 being the most serious. The company made the move after seeing a huge jump in the number of submissions from its customers. As of Tuesday morning, Symantec had a total 157 submissions of the virus from consumers. Wednesday morning, Symantec Security Response had 2,039 submissions from consumers.

The virus arrives in an e-mail with a random subject line and a randomly named attachment. The attachment, written in Microsoft Corp.s Visual C, is compressed and often contains a double file extension. Once it infects a computer, the virus mails itself to addresses found on the local machine and then tries to spread through network shares, according to an advisory from McAfee Security, a division of Network Associates Inc., in Santa Clara, Calif.

Bugbear takes advantage of a flaw in Internet Explorer that can force the browser to automatically open an executable attachment in some HTML e-mail messages.

In addition to logging keystrokes, the Trojan program searches for and tries to disable a number of common Windows processes. It also disables popular anti-virus and firewall software and opens a TCP port that listens for instructions from remote machines. The combination of these modifications to an infected machine not only could give a remote attacker access to sensitive data such as passwords but could also enable him to control any number of compromised PCs.

For instructions on how to find out whether youve been infected by Bugbear or to remove it, see: www.mcafee.com/anti-virus/viruses/bugbear/. The patch from Microsoft Corp. for the Internet Explorer vulnerability is available here.

(Editors Note: This story has been updated since its original posting to include figures from Symantec.)

Related Stories: