New worm is bugging computers

New worm is bugging computers

A new variant of the BugBear worm, dubbed BugBear.B, appeared yesterday and has begun spreading rapidly through English-speaking countries' systems.

Antivirus companies first saw the worm in the United States, United Kingdom and Australia. BugBear.B spreads by mass e-mailing and network shares, and installs keylogging software and a back door that leaves infected machines open to further exploitation.

Because of its rapid spread, the Anti-Virus Emergency Response Team of iDefense Inc. of Chantilly, Va., and Network Associates Inc. of Santa Clara, Calif., have assessed the worm's threat as high.

BugBear.B is the second new variant to hit the Internet this week, said Ken Dunham, iDefense senior intelligence analyst.

'There has been a lot of activity on the malicious code front this week, peaking with SoBig.B on Tuesday and now BugBear.B,' Dunham said. 'New and improved variants of successful malicious codes, designed to go undetected even with updated antivirus software, are once again proving to be a significant threat.'

The new BugBear has randomized subject lines, sender addresses, body text and attachment names. The attachment always has a double extension, with the real extension being .EXE, .PIF or .SCR. It e-mails itself and attempts to create a copy of itself in a remotely shared 'startup' directory. In addition to installing a back door and keylogging code to capture passwords, it also can download malicious code from a remote Web site and listens on TCP Port 1080 for commands, potentially allowing remote control of the infected machine.

'Simply filtering against .EXE, .PIF and .SCR e-mail attachments is a great way to lower the risk of infection against such worms when it is feasible to do so at the gateway level,' Dunham said.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.