Bugbear to set new virus record
Published: 08 Oct 2002 07:45 BST
The Bugbear computer virus may be spreading more slowly this week than last, but it's still on track to be the most prolific email virus to date, antivirus experts said on Monday.
Last week, email service provider MessageLabs intercepted 320,000 missives containing the Bugbear attachment, more than the Klez.h virus managed in its first week in April. Klez.h has created the most-ever Internet traffic so far.
Bugbear "seems to be picking up quite a bit in the United States", said Angela Hauge, technical director for MessageLabs. "I would say that it's rampant." On Monday, Bugbear-infected PCs sent out nearly 38,000 emails, according to the company's Web site.
While MessageLabs can't measure the number of infected computers on the Internet, it can tally the number of emails sent by such computers and routed through its systems to the company's 700,000 customers. That data gives an indication of how prevalent a virus has become.
In June, Klez.h hit MessageLabs' millionth message mark, a first for a computer virus, the company said.
After it infects a PC, the Bugbear virus searches the machine for email addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the email program on the PC and uses it in the "From:" line of the messages it sends. This disguises where the actual emails are coming from and makes it difficult to alert someone that their system is infected. The virus also attempts to spread by copying itself to other computers that share their hard drives with the infected system.
Bugbear also searches for any of a long list of security programs or antivirus programs and halts them if they are running on the victim's machine. In some cases, Bugbear can also cause printers on a network with infected PCs to start printing nearly blank pages.
The virus uses a flaw in the way Microsoft Outlook formats email using MIME (multipurpose Internet mail extensions). The flaw, if left unpatched, allows the virus to automatically execute on a victim's PC if Outlook displays the text of the message. While the flaw and its patch are more than 18 months old, many users have apparently not fixed the problem, judging by Bugbear's success thus far. The attachment can also be executed if a user clicks on it.
Alex Shipp, senior antivirus technologist with MessageLabs, said it looks like most users don't upgrade their antivirus software unless they're aware of an infection. This pattern emerged with the Klez virus, variants of which have lingered at the top of MessageLabs' charts since this spring. With the publicity surrounding Bugbear, many Klez victims finally downloaded new software and banished the older worm, but many more have been left vulnerable to Bugbear.
Since Bugbear exhibits few symptoms on an infected computer, users may not know their systems are infected and thus may not even take precautions after they've been attacked, Shipp said.
ZDNet UK's Matthew Broersma contributed to this report.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
42 out of 79 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
