A revised version of the Bugbear computer worm, given the top threat rating by anti-virus software firms, has been found to contain a long list of financial companies.
鈥淏ugbear.B鈥 is derived from the original Bugbear computer worm, which infected many computers in October 2002. The new version has an even greater range of nasty tricks and has spread much more quickly. 鈥淚 don鈥檛 think the author could have put anything else in,鈥 says Jack Clark, technology consultant at Network Associates.
Among the worm鈥檚 most malicious features is a 鈥渂ack-door鈥 program that allows remote control over an infected machine. It also has a 鈥渒eylogger鈥 designed to grab passwords and other sensitive information.
Advertisement
But perhaps the worm鈥檚 most unusual feature is a long list of domain names belonging to financial institutions around the world. Graham Cluley, chief virus researcher at UK anti-virus company Sophos, says the purpose of the list is unclear.
鈥淲e have researchers working on that,鈥 he told 快猫短视频. 鈥淚t appears that it may act differently when running on computers inside those domains.鈥 But Cluley says it may also be that the worm will activate its keylogger when a victim visits their bank online, in an attempt to capture passwords.
Automatic opening
US company MessageLabs, which scans through email in bulk, reported on Friday that it had caught over 115,000 copies of the worm. Some anti-virus software vendors have classified the worm as the most serious threat possible and issued software updates to enable customers鈥 anti-virus programs to snare the virulent code.
Bugbear.B is automatically forwarded as an email attachment and exploits a bug in Microsoft Outlook and Internet Explorer to run itself without any action from the target computer鈥檚 user.
If the infected computer uses a dial-up modem to reach the internet, the worm will automatically attempt to dial-up.
It is more chameleon-like than its predecessor. It generates the carrier email鈥檚 subject line from a random list or from a filename found on the infected machine. The worm also sends itself as a reply to any incoming messages to further the chances of infecting other PCs.