New Bugbear Worm Exploits Unpatched IE Vulnerability
Bugbear.e, also known as Tanatos.e and PWSteal Hooker, spreads via e-mail, uses a hole in IE first discovered in February, and can steal confidential information from infected computers.
Bugbear.e arrives as an e-mail message -- it spoofs the From: address by hijacking addresses from already-compromised Windows machines -- that can sport a wide variety of subject headings, including "Introduction," "My eBay ads," and "Your News Alert."
The payload, which can come as a .zip attached archive file or as a MIME HTML file, infects the system when the .zip file is opened, or when the HTML message is viewed. The latter technique exploits the as-of-yet-unpatched IE vulnerability to infect users smart enough to know not to launch an attached file.
"Bugbear.e includes a new zero-day vulnerability exploit that just surfaced in the wild in February of this year," said Ken Dunham, director of malicious code research for iDefense, in an e-mailed statement. "If the hostile .htm file is executed, the worm silently installs itself on the computer."
Like other malware, Bugbear disables a wide range of in-memory programs, particularly personal firewall and anti-virus software, including the BlackICE and ZoneAlarm firewalls, and F-Secure's and Symantec's anti-virus defenses.
If it manages to sneak onto a system, Bugbear loads a keylogger to track keystrokes, then transmits the results -- which can include passwords and usernames entered at the keyboard -- as well as the contents of the Windows clipboard and e-mails to the hacker's remote Web site.
Bugbear.e is the most recent variant in the worm family. The last iteration in the Bugbear line appeared in 2003, and targeted over a thousand financial institutions, said Dunham, stealing confidential information from users' machines. During 2003, Bugbear struck hard enough to cause security firm Symantec to raise its threat level to a "4" in its 1 through 5 scale. (Symantec has never assigned a worm or virus a "5.")
As of mid-morning Tuesday, anti-virus firms had already posted virus definition updates to account for the new worm. Currently, most security firms tag Bugbear.e as a low-level threat. Symantec, for instance, assigned it a "2" in its alert scale, while Network Associates labeled it with a "low" ranking.
This story courtesy of TechWeb News