X

Bugbear virus targets Internet Explorer

Using an 18-month-old flaw in the Microsoft browser, a new e-mail virus threatens IE users who have left their software unpatched.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A new e-mail virus gained a greater foothold in unpatched Windows PCs on Tuesday, spurring antivirus companies to upgrade their estimate of the virus' danger.

Known as W32.Bugbear or I-Worm.Tanatos, the mass-mailing computer virus started infecting computers via e-mail on Sunday. On Tuesday, it accounted for nearly 11,000 infected e-mail messages intercepted by e-mail service provider MessageLabs' gateway servers. That placed it second to Klez.h, which accounted for about 14,000 e-mail messages.

"It is so hard to stay up with all the patches," said John Harrington, U.S. marketing director for MessageLabs. Harrington said most home users don't even realize they're missing a needed security fix.

The Bugbear virus infects computers running the Windows operating system and an unpatched version of Internet Explorer 5.5, according to an advisory posted by security company Symantec. A flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an e-mail message execute when the text of the message appears in Outlook. The software problem was patched by Microsoft almost 18 months ago, but some users apparently have not updated their computers.

Once running, Bugbear searches a PC for e-mail addresses and uses its own e-mail engine to send off infected messages to each address listed. In addition, it uses random e-mail addresses in the "from" field of the header to camouflage where the infected message is coming from.

The virus also attempts to shut down a host of security programs and antivirus measures, including many personal firewall programs and most popular antivirus scanning engines.

Lastly, Bugbear sends off an encrypted file with information about the computer to a predefined e-mail address and opens a backdoor for network attackers to use to sneak into the system.

Symantec upgraded the threat rating of the virus to a "3" on Tuesday from a "2" on Monday, with the most severe rating being a "5." The rating measures various factors including the destructiveness of a virus and how fast and how far the virus has spread.

To prevent infection, Windows users should download the Microsoft patch, update their antivirus software and refrain from opening an attachment unless the sender confirms he or she sent it.