Bugbear could be biggest virus of 2002

Friday, 4 October, 2002, 10:48 GMT 11:48 UK
Bugbear e-mail virus causing havoc


Bugbear could be biggest virus of 2002

The Bugbear e-mail virus is continuing to cause havoc across the globe.
According to anti-virus firms, it could be the biggest bug of the year so far and will provide a timely warning to those who thought the threat from malicious programs had receded.

The virus can compromise secure transactions and passwords, make computers vulnerable to hackers, disable anti-virus software and distribute confidential e-mails.

"It feels like it is going to be one of the biggest things all year," said Graham Cluley, senior technology consultant at anti-virus firm, Sophos.

Where did it come from?

Experts at virus filtering firm MessageLabs said the virus appeared to be spreading more quickly.

"Today it has started to go a bit mad. Yesterday we had 35,000 reports all day and today we have already had 37,000," said Alex Shipp, senior anti-virus technologist at MessageLabs.

Bugbear facts
Hundreds of thousands of computers infected
Mainly hitting home Windows PCs with no updated anti-virus protection
Can replicate without user clicking on attachment
Compromises secure transactions and passwords
The search for the origin of the virus is now on and there are suggestions that it could have come from Korea or Singapore.

Most of the addresses it uses are generic web ones, but there were a couple which point to Korea and Singapore, say experts.

The majority of infected computers are those of home users who have not updated their virus protection software.

Earlier e-mail viruses such as the ILOVEYOU bug and the Kournikova virus always carried the same subject line and relied on people's curiosity to open the infected attachment.

But Bugbear, and its predecessor Klez.H, can disguise themselves as a random e-mail from a friend.

Clever tricks

It can even choose an e-mail in a different language to confuse users.

How to protect yourself
Contact anti-virus firm
Disinfector available from anti-virus websites
Patch for Outlook available from Microsoft
At work, contact computer support immediately
"Most e-mail viruses are written in English and foreign language viruses don't tend to spread," said Mr Shipp.

Bugbear however can choose a German language e-mail to send itself on in if it is on a German computer, he said.

In the first few days of the virus, users could identify Bugbear by the size of the file which was always 50,688 bytes.

Now it is picking up other viruses along the way, increasing the file size and meaning there is no good way of detecting it.

For some users the virus can spread even if they do not click on the attachment, taking an advantage of a known vulnerability in Microsoft Outlook.

Those who have been infected with the Bugbear virus are advised to contact anti-virus firms for instructions on removing files and for security updates.

http://news.bbc.co.uk/1/hi/technology/2298913.stm




Q&A: The Bugbear e-mail virus
http://news.bbc.co.uk/1/hi/technology/2299303.stm

 

http://www.vnunet.com/News/1135719

Bugbear side effect hits printers

Networked devices spewing out pages of binary code

Bugbear infections look to be levelling off slowly, but the worm's faulty code is having an unexpected side effect.

Antivirus companies Sophos and Network Associates have both reported a slow down in infection detection, but overall the worm will top the threat charts for this month.

However, a bug in the worm has meant that networked printers are being affected. In some cases the first a company has known about the infection is when the machines start spewing out pages of gibberish.

"Most virus writers aren't geniuses and this one is no exception," said Graham Cluley of Sophos.

"A fault in the code means that the virus identifies network printers as potential hosts and sends code to them.

"The printer then tries to print the code in binary format, which comes out as gibberish. It doesn't harm the printers but the stationary costs are an added annoyance."

Bugbear disables antivirus and firewall software and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll.

Anything the PC user types via the keyboard, such as passwords or sensitive information, is sent to the originator of the worm via the TCP port 36794.

The worm also seeks to infect all other PCs on the network via the address book and network shares.