The Bugbear worm has steadily grown to become one of the most prevalent viruses in the world. In doing so, it has unseated Klez.H, which has dominated the virus landscape for nearly six months.
Antivirus experts credit the worm's savvy features for its success in infecting systems. The relatively slow year for viruses may also have lulled some users into a false sense of security.
"When users don't hear about viruses for a while, they begin to see antivirus software as bothersome," said David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor. "They think it slows their systems down."
The slow but steady progress of Bugbear suggests that it is primarily affecting home users, as most corporate users have had antivirus protection in place for days. The worm is also called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.
Bugbear also didn't have the rapid ramp-up of a Nimda, which peaked on its first day. That kind of progress tends to get people's attention. Bugbear seems to be spreading slower, much like Klez.H, Perry said.
"End users have gotten this idea that computer viruses are very dramatic," Perry said. "They think viruses make smoke and fire come out the back of their computers."
Bugbear has steadily crept up on users since being discovered Monday. McAfee Security's Anti-Virus Emergency Response Team (AVERT) found that rates of the worm's spread increased 50% to 60% yesterday, said Craig Schmugar, the group's virus research engineer. Europe is getting hit harder than North America, he said.
In fact, Bugbear has eroded Klez's progress. MessageLabs, the Gloucester, England-based provider of e-mail security services, intercepted only 6,300 copies of Klez yesterday, down from a daily average of between 13,000 and 18,000. By contrast, between midnight Wednesday and about 5 p.m. Thursday, the firm intercepted 23,000 copies of Bugbear, said Angela Hauge, MessageLab's technical director for the United States.
Like Klez, Bugbear uses a couple of techniques that enable it to spread more efficiently. For example, it "spoofs" e-mails so the messages it sends out appears to come from different users, not from the PCs where it found the e-mails. Such trickery allows the worm to cover up which machines it has infected.
"There are no arrows pointing to who sent the e-mail to you," Perry said.
Additionally, Bugbear takes advantage of a vulnerability in Internet Explorer that automatically executes attachments when e-mail messages are opened or simply viewed in the preview pane.
Malicious code like Bugbear and Klez probably offer just a taste of what future worms will look like. At 154 kilobytes uncompressed, Bugbear is a humongous, "feature-rich" virus, Perry said.
Bugbear drops a keystroke-logging program into an infected system that can collect sensitive data such as passwords from machines. A system back door opened by the worm allows the author to retrieve the information.