The latest Bugbear variant may be around for some time to come, experts said this morning. In just a few hours Thursday, the worm became a global threat.
Bugbear-B shares similarities to Klez, the most successful worm of the past 18 months. Both exploit a 2-year-old MIME and IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer. The flaw allows the worm to execute when a recipient simply views the message. It also attacks antivirus and personal firewall software running on infected systems.
Some new details have emerged about Bugbear-B. The worm contains a list of bank names and, when it infects a computer with a domain name that matches one of those on the list, it then turns on the infected system's modem, said Jimmy Kuo, a McAfee AVERT fellow. Turning modems on probably has to do with the backdoor and keystroke logging program Bugbear-B drops into systems. "There might be a better chance of capturing worthwhile ID and password combinations [on a bank-owned machine]," Kuo said.
The worm can spread via e-mail because it uses its own SMTP engine. It plucks addresses from files on infected systems with the following extensions: .dbx, .eml, .mbx, .mmf, .nch, .ods, and .tbb. It also harvests addresses from the inbox. Additionally, the worm can spread through network file shares.
In many ways, Bugbear-B is much more malicious than recent worms, such as Sobig-C, said Mark Sunner, chief technology officer of MessageLabs Inc., an e-mail filtering outsourcer. Besides installing a keystroke-logging program, Bugbear-B also opens up TCP port 1080, which can be used to access the program and to potentially execute commands on the infected system.
There is another more sublime security risk with the worm. It randomly plucks text from infected systems to use as the body text for its infecting messages. In theory, the worm may pick sensitive information and send that off to a host of prospective victims. In addition to introducing a security risk, the copied text also serves a social engineering purpose in that it gives the messages a little more credibility with recipients.
Additionally, the worm contains a wide variety of socially engineered subject lines, which will further enhance recipients' curiosity, such as "Warning!," "SCAM alert!!!," "Get a FREE gift!," "Membership Confirmation," "Interesting....," "Correction of errors," and "update." "By nature, people are curious," Sunner said.
FOR MORE INFORMATION: