Bugbear virus shows its claws

The infectious program continues to spread, spurring several antivirus software makers to bump up their rating of the danger the code poses.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The Bugbear virus continued to spread, spurring several antivirus software makers to raise their estimates of the program's danger for the second time this week.

Security software maker Symantec increased on Wednesday its rating of the virus to a 4 out of 5, while rival firm Network Associates bumped up its estimate of the infectious program on Thursday to a high danger from a medium.

"It doesn't show any sign of slowing down right now," said Craig Schmugar, virus research engineer for Network Associates' McAfee antivirus emergency response team on Thursday. "We have seen 50 to 60 percent more submissions today than yesterday."

Also known as Tanatos, the mass-mailing Bugbear computer virus can automatically infect Windows systems whose users haven't patched an 18-month-old flaw in Internet Explorer. PC users who have plugged the security hole still have to be careful--even if an automatic attack is blocked, opening the attachment will still allow the virus to infect a computer.

The virus copies itself to the hard drive of the victim's PC as well as to any other computers that share their drives over a network to which the infected system is attached.

Once in place, the computer virus stops a variety of security and antivirus programs from running. It also searches for e-mail addresses and sends itself as an e-mail attachment to every address that it finds. In addition, Bugbear opens up a "backdoor" on the computer through which an Internet attack can sneak into the system, and records everything a user types in certain windows, such as those for entering passwords. It occasionally sends off the file containing the keystrokes to several e-mail addresses.

Bugbear borrows many pages from the playbook of another successful virus, Klez.h. That virus has been the most prevalent computer virus for the past 6 months, according to data from e-mail service provider MessageLabs.

Part of Bugbear's success is due to its using its own e-mail engine to send off infected messages. As a result, the infected messages it sends contain a random e-mail address in the header's "from" field. This can camouflage, to some degree, the e-mail's source, which makes it difficult to determine whose computer sent the infected message. Identifying the infected computer, therefore, is that much more difficult.

The tactic has been so effective that Bugbear created more than 200,000 e-mail messages seen by MessageLabs' gateway in the last 24 hours, far outpacing the almost 60,000 messages created by Klez.h.