Bugbear not hibernating any time soon

The mass-mailing computer virus may be spreading more slowly this week, but it's on track to be the most prolific e-mail virus to date.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The Bugbear computer virus may be spreading more slowly this week than last, but it's still on track to be the most prolific e-mail virus to date, antivirus experts said on Monday.

Last week, e-mail service provider MessageLabs intercepted 320,000 missives containing the Bugbear attachment, more than the Klez.h virus managed in its first week in April. Klez.h has created the most-ever Internet traffic so far.

Bugbear "seems to be picking up quite a bit in the United States," said Angela Hauge, technical director for MessageLabs. "I would say that it's rampant." On Monday, Bugbear-infected PCs sent out nearly 38,000 e-mails, according to the company's Web site.

While MessageLabs can't measure the number of infected computers on the Internet, it can tally the number of e-mails sent by such computers and routed through its systems to the company's 700,000 customers. That data gives an indication of how prevalent a virus has become.

In June, Klez.h hit MessageLabs' millionth message mark, a first for a computer virus, the company said.

After it infects a PC, the Bugbear virus searches the machine for e-mail addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the e-mail program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual e-mails are coming from and makes it difficult to alert someone that their system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.

Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing nearly blank pages.

The virus uses a flaw in the way Microsoft Outlook formats e-mail using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than 18 months old, many users have apparently not fixed the problem, judging by Bugbear's success thus far.

Alex Shipp, senior antivirus technologist with MessageLabs, said it looks like most users don't upgrade their antivirus software unless they're aware of an infection. This pattern emerged with the Klez virus, variants of which have lingered at the top of MessageLabs' charts since this spring. With the publicity surrounding Bugbear, many Klez victims finally downloaded new software and banished the older worm, but many more have been left vulnerable to Bugbear.

Since Bugbear exhibits few symptoms on an infected computer, users may not know their systems are infected and thus may not even take precautions after they've been attacked, Shipp said.