Related Resources • Bugbear.A • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description

A new variant of the Bugbear worm was discovered on June 4, 2003. Like its predecessor, Bugbear.B is a mass-mailing email worm that also infects via network shares, contains a backdoor access component, and disables certain antivirus and security products found on the system. Bugbear.b uses its own SMTP engine, thus working independently of the mail client, and can spoof the sender's From address to make it appear to be from someone other than the infected party. Additionally, unlike Bugbear.A, the backdoor compononent of Bugbear.B does not use secure authentication, leaving the backdoor open to any hacker and not just the worm's author.

"This virus is tricky, it contains many different techniques. It has UPX compression, encryption with random keys, backdoors, key-logging, retro-functionality, aggressive mass-mailing and network worm capabilities," explains Mikael Albrecht, Product Manager of F-Secure. "The network worm capabilities may be dangerous to large organisations. It may cause very fast outbreaks if this virus manages to get inside the firewall."

Most insidiously, Bugbear.b contains a large list of domain names belonging mainly to banks from a wide range of countries. "The list of bank domains that the worm has, includes banks from all over the world; Europe, US, Asia and Africa", says Mikael Albrecht. Bugbear.B also includes an encrypted list of email addresses. According to F-Secure, at startup the worm checks the domain name of an infected computer and then compares it to the its internal list. If the domain name matches, the worm enumerates cached passwords and sends them to a randomly selected e-mail address from the list of addresses it maintains.

The email composed by the Bugbear worm varies and can even be compiled from older, legitimate emails found on the infected user's system. Likewise, the name of the attachment can vary, but will have either an .EXE, .PIF, or .SCR extension. By default, Windows suppresses executable-type file extensions. To ensure adequate identification of file types can be made, follow the steps outlined in the File Extension Center to ensure file extension viewing is enabled.

Bugbear.B continually monitors active processes and shuts down any matching an internal list of security and antivirus programs. Bugbear.B was not initially detectable by antivirus software with the exception of Nod32, which heuristically detected it without needing updates. Aside from Nod32, users who received the worm initially would not have received an alert from their antivirus software. Thus, those infected by it prior to the necessary updates being available would also have their antivirus and security software compromised. This could result in an inability to run the antivirus program or update the definition files, making detection of the Bugbear.B worm difficult. F-Secure offers a free removal tool to detect and disinfect a Bugbear.B infected system. A similar free removal tool is also available from Symantec.