Bugbear threat level raised

Network Associates Inc. raised its risk assessment of the Bugbear.b mass-mailing worm to high after the virus attacked over 1,000 banks across the globe earlier this week.

W32/Bugbear.b@MM, otherwise known as Bugbear.b, was discovered on June 5. The virus is an Internet mass mailing worm that, once activated, e-mails itself to addresses found on local systems, spoofing or forging the sender’s address. It is the first known virus to target financial institutions and the virus reportedly tries to steal corporate passwords. The threat level was increased this week when Bugbear attempted to attack some of Australia’s largest banks.

The virus extracts addresses from file names with the following strings: .DBX, .EML, INBOX, .MBX, .MMF, .NCH, .ODS, and .TBB. Bugbear also spreads by using the default SMTP engine. Users will know that their systems have been infected by the presence of non-standard .EXE files in the start-up folder, according to Network Associates. The virus uses several subject headers and users should delete all e-mails that contain the following subject lines: “Announcement,” “Daily Email Reminder,” “fantastic,” “free shopping,” “Get 8 FREE issues-no risk!” or “Get a FREE gift.”

Once Bugbear infects a computer, it will attempt to terminate the process of the system’s security program. It contains a polymorphic parasitic file that allows the virus to change with each infection.

In North America, it doesn’t appear as if the virus is spreading rapidly. Computer Associates International Inc.’s Sam Curry, director, e Trust in Islandia, N.Y., said that the majority of its customers have reported not being hit by Bugbear. Curry said no statistics were available to quantify the number of attacks.

“[Bugbear] knows of a thousand or so different bank domain names and it infects the system with an Internet Protocol (IP) address because it looks through the system and finds e-mail addresses. If it finds a system with an e-mail whose domain matches one of the known banks, it behaves differently,” Curry said. The virus also has the ability to delete executables related to security programs and could then affect the security level of those companies, he noted.

Joanne Hayes, a spokesperson for the Bank of Montreal in Toronto, said it has been monitoring the virus situation. “There has been no indication that there has been any impact on our systems” to date, Hayes said. The bank said it is using standard antivirus commercial products to fend off attacks. She added that Bugbear is seen as a “high” threat because it is a blended threat of a virus and Trojan horse.

Still, as Curry noted, financial institutions may be reluctant to report being hit by an attack because of the potential ramifications. “With some of the accounting laws and privacy regulations, there’s big concern among financial institutions about what is given up. If information related to customers (is lost), has it damaged the customer (and) is [the bank] potentially liable?”

A fix for Bugbear is available at http://vil.nai.com/vil/content/v_100358.htm. For more information, visit www.nai.com and www.ca.com.