The surprisingly resilient Bugbear worm continued to assault thousands of computers around the world Monday, but its rate of spread has finally started to slow, antivirus experts say. But Bugbear is apparently causing problems even for those who don’t receive the worm. An Internet hoax artist has capitalized on the worm’s notoriety, and has crafted an e-mail that tricks victim’s into deleting a system file on their Windows machines.
THE HOAX IS an old trick, a mass e-mail which warns recipients that there’s a virus on their machine called Jdbgmgr.exe. The file is a legitimate system file needed to run Java programs, and it’s normally displayed with a bear icon.
But the e-mail instructs recipients to find the file and delete it immediately.
The hoax is now more convincing, because recipients associate the bear icon with the Bugbear virus, according to Craig Schmugar, a virus research engineer for Network Associates Inc.
“The confusion is coming in part because of the virus name, and because the icon in question is a teddy bear. And the hoax has been tweaked to reference this new virus,” Schmugar said.
Meanwhile, Bugbear continues to romp around the Internet, and it’s now the most prevalent computer virus in the wild.
Antivirus firm MessageLabs Inc. indicated that it had trapped over 300,000 copies of the worm by Monday evening. Fully half those were trapped in the United Kingdom, according to the company’s Web site.
But Schmugar said reports of infections had already stabilized on Friday, and Monday brought fewer infections, suggesting the worst of the outbreak is over.
“We will lower our high risk assessment to a medium risk if the activity follows the pattern we’ve seen,” he said.
Bugbear packs a treacherous payload: It installs a keylogger on infected systems, so it can watch everything a victim types and steal information like passwords and account numbers. And it’s quick march through cyberspace was a bit unexpected.
“We expected it to grow, but not as fast as it grew,” Tony Magallanez, spokesperson for F-Secure Corp., said. “It’s significantly faster than what we or anybody expected.”
Network Associations Inc. raised its assessment to “high risk,” on Thursday, up from “low risk” earlier in the week. And Symantec Corp. raised its threat level to 4, out of 5. Last Monday, when it was first discovered, Bugbear was rated a relatively tame 2.
The worm can be a terrific pest to corporate network administrators. If an infected machine is connected to a networked printer, that printer will begin spewing out pages of garbled text until it’s shut down, according to Symantec.
But more worrisome is the worm’s ability to install secretive key-logging software capable of stealing passwords and credit card numbers.
Infected computers are rigged with a Trojan horse component called “PWS-Hooker” that secretly watches every keystroke on an infected computer, and stores the captured information on the computer in encrypted form. The data can be accessed later by the virus writer or anyone else who happens upon the infected computer, or it can be e-mailed to the author.
Bugbear might be spreading because it is cleverly crafted and difficult to spot with the naked eye. It arrives in a victim’s e-mail inbox with a subject line chosen randomly from dozens of possibilities, including:
Free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
My eBay ads
New bonus in your cash account
New Contests
The actual infected file arrives as an attachment, which also has a random name. And Bugbear’s first task, upon infection, is to disable all installed antivirus software.
“It’s throwing a lot of things at people to see if it can find something to slip under the radar,” Vincent Gullotto, vice president of the AVERT virus research lab at Network Associates Inc.
The bug spreads itself in the usual way, by sending copies of itself to people in the victim’s Outlook address book. It also propagates through network-connected computers.
The program gets its name from a line in its underlying computer code which says “Bugbear,” according to Symantec Corp., which named it.