Bugbear Virus Spreading Rapidly Infections by e-mail virus estimated now in the thousands worldwide. Paul Roberts, IDG News Service Wednesday, October 02, 2002 The Bugbear virus is rapidly spreading around the world, according to alerts issued by antivirus companies and computer security experts. The virus first appeared Monday and has since spread rapidly. It is sent as an e-mail attachment with various subject lines, including 'bad news', 'Membership Confirmation', 'Market Update Report', and 'Your Gift'. Code in the virus generates random attachment names and subject lines to avoid easy detection by antivirus software and assigns multiple file extensions to the virus to disguise the fact that it is an executable file, according to Vincent Gullotto, vice president of McAfee's AVERT (Anti-Virus Emergency Response Team) at Network Associates. How It Spreads Advertisement [AD] Once activated, the virus shuts down vital processes used by antivirus and firewall software, records user keystrokes to capture passwords, sends copies of itself as e-mail attachments, and copies itself onto directories shared by networks that are accessible to the computers it infects. The virus appears to be able to forward copies of itself randomly as attachments to old e-mail messages on the computers it infects, according to a statement released by F-Secure of Helsinki Recipients are randomly selected third parties, F-Secure reports. In addition to propagating the virus, this feature discloses otherwise personal e-mail correspondence to third parties. As it attempts to access shared directories on computer networks, the virus may also send copies of itself to shared network printers, which will begin printing the binary code of the virus executable, according to F-Secure. Finally, Bugbear opens a back door to the machines that it infects. Using a Web browser, the virus author or malicious hackers can access a Web interface created by the virus, browse local files on an infected machine, and execute programs on that machine, according to F-Secure. Upgraded Threat Though initial reports indicated that Bugbear's code might contain flaws preventing it from being able to mail itself to new recipients, the rapid spread of the virus over the past two days indicates that the virus is more than capable of reproducing itself. Symantec announced Wednesday that it was upgrading Bugbear to a level-four virus on a scale of one to five, with five being the most serious. Symantec pointed to a rapid increase in reports of the virus from customers, from 157 submissions on Tuesday to more than 2000 by Wednesday morning. In its statement, F-Secure indicated that incidents of the Bugbear infection had surpassed incidents of infection by the Klez virus, which had been the most widely circulated virus of 2002. Reports of new infections are higher in Europe and Asia than in the U.S., according to Chris Wraight, technology consultant at antivirus software maker Sophos PLC. Bugbear is a far less formidable threat than predecessors like Klez, Wraight said. "We're still looking at infections in the thousands. At this point with (the Klez virus) we were talking about millions of infections," Wraight said. Prevention and Protection Leading antivirus software vendors have posted updated virus definitions covering the Bugbear worm. Antivirus software vendors are encouraging customers whose computers have not yet been infected to update their antivirus software. Customers whose computers have been infected need to remove all files related to the virus from their machines and are encouraged to update any passwords that might have been exposed to the virus, according to F-Secure.

Thanks EC, Write up and removal tool; http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html