Helsinki, Finland, October 2, 2002 - The Bugbear e-mail worm (also known as Tanatos) was first seen on Monday, September 30. Since then it has been located in dozens of countries worldwide and continues to spread at an increasing rate. Current statistics show that Bugbear/Tanatos has passed Klez as the most common virus currently in the world. Klez was the most common virus for almost all of 2002.
Bugbear is a Windows mass mailer, spreading itself in infected e-mail attachments, sometimes executing the attachment automatically. It also tries to spread through open Windows fileshares. A side effect of this is that the worm sometimes prints massive amounts of nonsense text on network printers.
The worm also attempts to terminate the processes of various antivirus and firewall programs. Once a machine is infected, it can be remotely controlled via a graphical backdoor, allowing the hacker to steal and delete information from affected computers.
The worm can pick up old e-mail messages from an infected system and send them to random e-mail addresses. This means that private e-mails will be disclosed to third parties. "Forwarding old e-mails is actually a social engineering trick," comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "When people receive such e-mails, they will be baffled by the contents. In many cases they will click on the file attachment just to figure out what the strange e-mail is all about - thereby becoming infected."
Some e-mails sent by Bugbear will use the IFRAME vulnerability. This means that on an unpatched Windows system the worm attachment will execute automatically as soon as it is previewed or read. In some cases the worm fakes the e-mail address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem.
The worm spreads effectively within corporate LANs once one machine gets infected via e-mail. The worm will enumerate all network shares and try to copy itself to them. On Windows machines with hard drives shared for several users, the worm attempts to copy itself to the Startup folder, activating when the machine is rebooted. The worm tries to copy itself to all types of shared network resources - including printers. Printers will not and cannot get infected by Bugbear, but they will attempt to print out the binary code of the worm - resulting in dozens or hundreds of pages of garbage.
The Bugbear worm tries to terminate various processes in the memory of an infected computer. This includes processes used by most of the popular antivirus and personal firewall products - including the outdated F-Secure Anti-Virus v4.x series. However, the worm does not affect the current F-Secure Anti-Virus v5.x series. In any case, the worm can only attack security programs if it executes in the first place - and up-to-date anti-virus programs will prevent it from executing. "As this worm is already widespread, there must now be thousands and thousands of computers in the Internet without any antivirus or firewall protection, because Bugbear has removed them," comments Hypponen.
The worm will install a backdoor to all infected systems. This backdoor can be exploited by the virus writer or by hackers, allowing them to connect to infected machines using a web browser. The worm will show a web user interface through which the attacker can browse local files or execute programs. "We haven't seen such an advanced backdoor in a worm before," says Mikko Hypponen. "Fortunately, it is not easy for script kiddies to enable this functionality."
"It was such a nice and quiet year virus-wise - up until the middle of September," continues Hypponen. "After that we have had many large outbreaks, including the Slapper and Devnull Linux worms, and the Opaserv and Bugbear Windows worms."
The year 2001 is generally considered to have been the worst virus year ever. "During 2002, the Klez virus has been the most common virus for months and months. As Bugbear is quite similar to Klez in many ways, I am afraid Bugbear will still be widespread in 2003," finishes Mikko Hypponen from F-Secure Corporation.
A detailed technical description of the worm as well as screenshots are available in the Global Bugbear Information Center at
F-Secure Anti-Virus 5.40 can detect, stop and disinfect the Bugbear worm, even if the system is already infected with the worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.