A new mass-mailing worm that uses a host of tricks employed by the recent Klez worm is making slow but steady progress around the world.
Antivirus experts are watching Bugbear closely as it displays characteristics similar to those of variants of the Klez worm, which has slowly emerged as the most common worm in the world. Bugbear is also being called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.
As of Tuesday morning, Bugbear had been spotted more than 9,400 times in 68 countries, according to MessageLabs. The worm is hard to spot when it arrives because it uses a variety of subject lines and spreads via its own SMTP engine. It also tries to disable antivirus and firewall programs.
Mikko Hypponen, F-Secure's manager of anti-virus research in Helsinki, Finland, sees some eerie similarities between Bugbear and Klez. The writer of Bugbear didn't use the source code from Klez but copied many of the worm's capabilities.
"It almost looks like the writer of Bugbear looked at a description of Klez and rewrote the worm with much of the same functionality," Hypponen said.
Bugbear does have a trick that Klez doesn't. Namely, it installs a key-logging program that can harvest passwords, usernames, credit card numbers and other sensitive information. The worm also opens a back door on port 36794, which can allow the worm's writer or others to steal that information.
Bugbear arrives as an attachment to a message featuring a host of subject lines and message bodies. Much like Klez, Bugbear exploits a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer. As a result, the attached worm can execute without the attachment being clicked on.
Additionally, the worm tries to copy itself to a host of network file shares, including printers. Though it can't infect printers, wasted pages can occur as printers try to print out the raw binary data of Bugbear's executable code.
Once in a system, Bugbear searches for e-mail addresses in the inbox and on the machine's hard drive. It uses those addresses for targets and to spoof them so that it appears those addresses are sending the infected messages.
Klez employed a similar technique, which is what allowed it to spread so widely, Hypponen said. With other worms, people realize they are infected when their contacts receive the worm and let them know. By spoofing e-mail addresses, Klez obscures which machines are actually sending the worm. "I'm sure there are a number of machines still infected with Klez and no one knows," he said.
In addition to spreading itself, Bugbear also seeks to shut down antivirus and firewall functions running on the infected system. It routinely rechecks the system for this functionality just in case someone installs antivirus software after becoming infected.
Targeting protections can leave a system open to other worms and viruses. "A lot of times, users don't realize their antivirus software has stopped because it runs in the background," said Chris Wraight, technology consultant at antivirus vendor Sophos.
While filtering for specific subject lines wouldn't prevent Bugbear from getting through, blocking certain file types would. Bugbear sends itself with one or two files extensions with the second usually being an .scr, .pif or .exe file name.
At the least, users should block executables and .pif files, as these are common file types for viruses, said Vincent Gullotto, vice president of McAfee AVERT. He would recommend going one step further and blocking all file types except zipped files and a few others.
"Now, companies don't like to do that," Gullotto said. "But it is a best practice, and in the end it will save them some pain.