Bugbear, one of the most successful worms of the past year, is back. A new variant of the mass-mailing worm emerged this morning and seems to be gaining some traction.
As of midmorning today, e-mail filtering outsourcer MessageLabs Inc. had intercepted more than 17,000 copies of Bugbear-B (also known as Tanatos-B). The worm seemed to be ramping up; more than 3,500 copies were caught in the hour between 9 a.m. and 10 a.m. EDT.
Mark Sunner, MessageLabs' chief technology officer, said that recent worms such as SoBig-C were more concentrated in the U.K. and North America, but Bugbear-B is being found across all of Europe. "Worms such as this tend to follow the sun. We expect to see a shift from Europe to the Western U.S. in the next few hours," Sunner said.
Bugbear-B has a few tricks its older brother didn't have. The worm is polymorphic, which means that it assumes a different appearance each time it hits an inbox. Bugbear-B pulls information from infected machines to use as the message text of its infecting e-mails. The worm also spoofs sender addresses when it sends copies of itself using its own SMTP engine. So, in effect, a message appears to come from a person, when in fact it came from another infected machine.
"We think this is something that could be pretty nasty," said Chris Beltoff, senior security analyst at antivirus software vendor Sophos Inc. "For some users, the e-mails may look legitimate even if they aren't familiar."
Like the previous variant, Bugbear-B installs a keystroke-logging program and opens up a TCP port (port 1080) on infected systems. In theory, a remote attacker could use the open port to access captured data such as passwords and usernames or to execute commands on infected systems. It also tries to terminate antivirus and personal firewall software from running. This could open up an infected system to other worms and to remote attack.
The worm also tries to infect files on systems such as Kazaa, Windows Media Player and Outlook Express.
Bugbear-B also exploits the years-old MIME and IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer. This flaw would allow the worm to infect the system just by being viewed on infected systems. Additionally, it can spread via network file shares. "All it takes is one copy getting into a company, and it will be cleaning it up for quite a while," Sunner said.
Adhering to a few safe computing principles would prevent infection from Bugbear. For example, if someone sends you an unexpected attachment, it's a good idea to get in touch with that person before opening it. Also, blocking .exe, .pif and .scr file extensions would help stop the worm as well. Besides using those extensions, the worm can also have a double file extension in the attachment.
FOR MORE INFORMATION:
FEEDBACK: Are you prepared to fend off Bugbear?
Send your feedback to the SearchSecurity.com news team.