Bugbear.B's threat rating affirmed

Antivirus companies warned PC users on Thursday that a variant of the nine-month-old Bugbear virus has started spreading across the Internet, installing tools on infected computers that let intruders control the systems.

		Reader Resources Bugbear.B quick facts CNET Software

Security-software company Network Associates graded the virus a medium-level threat Thursday morning, but three hours later it upgraded that to high.

"It has gone to the No. 1 (threat) for the day in about 12 hours," said Jimmy Kuo, an antivirus research fellow with Network Associates.

The virus, called Bugbear.B, is very similar to the original Bugbear program released last September. The virus spreads by selecting an e-mail in the victim's in-box and attaching itself to a reply to that message, which it then sends out to any e-mail addresses that it culls from the user's system. The virus will also occasionally create its own messages using various subject lines.

The virus also attempts to use a flaw in the way that Microsoft Outlook formats e-mail, using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. Although the flaw and its patch are more than two years old, some users have still not fixed the problem.

Bugbear.B specifically focuses on computers linked to certain Internet domains owned by banks and financial houses, Kuo said.

"Bank machines in the office are air-gapped, but somehow viruses cross," Kuo said. An "air gap," a security measure frequently used with sensitive computers, means simply that the computer is disconnected from the public Internet.

On those systems, the virus will also cause the modem to dial out to the last number it called. Then the virus tries to transfer itself to the destination system.

Hard drives that are shared with an infected system are also in danger from the virus, which will append itself to more than 30 different programs and execute when those applications are run. The virus will open a "back door" on the PC, leaving Port 1080 open to intruders from the Internet. It also installs a "keylogger," a program that stores a user's keystrokes, placing personal data and passwords at risk. The malicious program also attempts to shut down any antivirus software that is running.

E-mail service provider MessageLabs also gave the virus a high-risk rating, saying that the company's gateway servers--which filter out e-mails containing spam and viral attachments on behalf of clients--had stopped 60,000 virus-laden e-mails in the past 24 hours.

"It is interesting, because we had only minor virus news over the past few weeks," said Mark Sunner, chief technology officer for the U.K.-based company. "The SoBig viruses were more spam-related, where Bugbear.B is sporting some quite nasty weaponry."

Sunner believes the number of systems infected by the virus will quickly grow.

"This has two of the hallmarks which we attach to viruses that have a bigger dispersal and greater longevity," Sunner said. "It exploits the bug in Outlook, and it has the ability to kill off...antivirus software."

Moreover, while recent viruses have infected specific regions of the world--such as the United States, the United Kingdom or Asia Pacific--Bugbear.B seems to be far more evenly distributed, Sunner said.