Bugbear variant mauls PCs

A new variant of the fast-spreading Bugbear worm has begun rapidly infecting PCs since it was first reported on Wednesday.

A new variant of the fast-spreading Bugbear virus--Win32.Bugbear.B--has begun rapidly infecting PCs since it was first reported Wednesday.

MessageLabs, which runs outsourced e-mail servers for 700,000 customers around the world, said it had filtered out 27,000 infected e-mails in 115 countries as of Thursday morning.

The first Bugbear worm spread rapidly last fall, creating about 320,000 infected messages in its first week, according to MessageLabs. This week has already seen another significant virus threat emerge with the spread of the Sobig virus, which has generated about 30,000 infected messages per day this week, according to MessageLabs.

Like the first worm, Bugbear.B is a mass-mailing virus that infects Windows PCs. After it infects a PC, the virus searches the machine for e-mail addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the e-mail program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual e-mails are coming from and makes it difficult to alert someone that his or her system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.

Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing a large amount of raw binary data.

More dangerously, the virus installs a keylogger that records what the person types--a method of capturing passwords--and a Trojan horse back door, communicating on port 1080, which allows an attacker to take control of the system.

The virus uses a flaw in the way Microsoft Outlook formats e-mail using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than two years old, some users have still not fixed the problem.

The Bugbear.B variant--also known as W32/Kimjo.A-mm and W32.Shamur--is expected to spread widely over the next couple of days, before consumers become aware of it, antivirus vendors update their software and people subsequently install the new patches.

ZDNet Australia's Iain Ferguson reported from Sydney. ZDNet UK's Matthew Broersma reported from London. CNET News.com's Robert Lemos contributed to this report.

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The new Moto 360 looks more like a watch than a smartwatch

CNET's Dan Graziano gives you a first look at the brand new Moto 360.

by Dan Graziano