Also known as Tanatos, Bugbear is an Internet worm with a Trojan horse that first attacks anti-virus software and firewalls, then attempts to steal your passwords and credit card information. Users of Internet Explorer 5.01 or 5.5 who have not patched the Incorrect Mime header flaw have been warned they may be vulnerable to the worm's e-mail attack.
According to Allan Bell, Network Associates Asia Pacific marketing director this new worm is thought to have originated in Malaysia and is like a combination of other recent viruses, like Funlove, Badtrans, and Klez.
"It uses open file shares - like funlove, drops a keylogger - like badtrans and is a mass-mailer - like klez," Bell said.
While worm's spread caused alarm initially, numbers of new infections dropped quickly, and it is currently the third most prevalent virus as measured by Network Associates.
"What is interesting about Bugbear is that it tries to turn off your anti-virus software or firewall, and then inserts a keylogger which captures your key strokes as you type and sends them to a TCP/IP port," Bell said. "The other interesting thing is that is uses a lot of random subject names, so just keep an eye out for unsolicited mail with strange subject lines."
The keylogging Trojan horse is contained in an .exe file, so organisations and individuals which block such attachments should be safe from infection, however, for others the first sign they are infected may be the calls they receive from other complaining of strangely worded emails.
All versions of Windows are vulnerable to this worm's ability to arrive via open file sharing. Users of Macintosh, Linux, and Unix are not at risk. Since Bugbear sends infected e-mail and contains a potentially dangerous Trojan horse, it represents a mid-level threat to most corporates.
How it works
Bugbear arrives via e-mail with no distinct characteristics except for an attached file that is always 50,688 bytes long. The subject line and text may be taken from existing e-mail. Bugbear also arrives through network file sharing.
When run, Bugbear adds itself to the System subdirectory of the Windows folder as four random letters followed by .exe (for example, windows\System\zayb.exe). It also changes the Registry in order to run each time Windows is loaded, once again using random letters. Finally, it adds itself to the Startup folder as three random letters followed by .exe (for example, Startup\zay.exe). The Trojan horse part of this worm first terminates many popular firewall and antivirus programs. The Trojan then launches a keystroke-logging program whose filename is a variable number of random letters followed by .dll (for example, avbxcydz.dll). Keystroke-logging programs memorize the keystrokes typed when filling out login information (passwords) or filling out shopping forms online (credit card information). Files saved by these programs can later be accessed remotely by malicious users. The Trojan component of this worm opens port 36794.
Prevention
Users of Internet Explorer 6 should be safe from the e-mail portion of this worm. Users of IE 5.01 and 5.5 who have not installed the Infected Mime header patch found in MS01-020 should do so. If you do not need to share files on a network, you should also turn off file sharing within Windows.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system.
I have been hit by the bugbear virus 4 times in as many days.
the first time it took out my printer which was not turned on phew!
It arrived under my sons email name hence I opened it.so far it has shown KKK and MMM luckily I have AVG installed and it grabbed it very fast.
my son has nortons and it took that out fast but he also has AVG which grabbed it but we both reformated to be safe, I suggest change you sign in name and you password ASAP.
cally