June 05, 2003, 11:32 AM — A new version of the Bugbear virus is spreading quickly on the Internet, according to alerts posted by leading antivirus companies.
The new variant, called Bugbear.B, was first detected on Thursday and shares many of the same characteristics as the first Bugbear virus, which appeared in September, 2002 and was also known as "Tanatos," according to Helsinki, Finland-based antivirus company F-Secure Corp.
At least one antivirus company, Network Associates Inc., upgraded its rating on the new virus to "high," the first virus since Slammer to achieve that rating, according to a spokeswoman for Network Associates' McAfee business unit.
Like the first Bugbear virus, the Bugbear.B is an e-mail worm, which spreads by sending copies of itself out as attachments in e-mail messages.
Like its predecessor, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Corp.'s Outlook, Outlook Express and Internet Explorer products that enables attachments to be automatically opened when the e-mail containing them is opened, according to antivirus company Sophos PLC.
Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications and opening a back door that could be used by hackers, according to Sophos.
Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects, Sophos said.
The Bugbear.B virus arrives in e-mail messages with a variety of subjects such as "Your news Alert," "Your Gift," "click on this!" and "cows."
In addition to pulling subjects from a list it maintains internally, the virus randomly excerpts content from files on the hard drives of computers it infects and uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee AVERT.
Like the subject line, the e-mail attachment containing the virus code also uses a variety of names chosen from a list maintained by the worm or grabbed from files on the infected host computer.
Attachments use a variety of file extensions including ".exe," ".scr" and "pif," and names such as "readme," "setup," "photo," and "news," according to F-Secure.
Bugbear.B also contains address spoofing features that enables it to pull e-mail addresses skimmed from files on the infected computer and insert them in the "From" line of the e-mails it sends out, Emm said.
Recipients might be tricked into opening the message from a trusted source, and can also be fooled into thinking that the sender's machine has been infected with Bugbear.B, when another machine is really the source, he said.