Print
Discuss
Send to friend
RSS feeds
Daily news podcastA worm which disables security software and can steal passwords and credit card details is spreading rapidly through Windows-based PCs, according to antivirus companies.
Codenamed Bugbear, the worm was first detected in Malaysia and is spreading fast.
Network Associates' Anti-Virus Emergency Response Team identified the worm on 29 September and has upgraded its threat rating from 'low' to 'medium'.
Antivirus company MessageLabs has reported 6,000 infections in the UK, US and India.
The worm copies itself into the Windows system directory and start-up folder as a .exe file with a random three letter name.
Once installed it disables antivirus and firewall software and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll.
Whatever the PC user types via the keyboard, such as passwords or sensitive information, is sent to the originator of the virus via the TCP port 36794.
The worm also seeks to infect all other PCs on the network via the address book and network shares.
In addition it takes advantage of a longstanding Microsoft exploit, MS-01/020, as did Klez. A patch for this has been available since March 2001.
"It beggars belief that this exploit is still being used," said Mark Toshack, virus analyst at MessageLabs.
"While this worm is new, the vulnerabilities it exploits are not. Home users must shoulder much of the blame for not updating their systems."
The infected emails are headed by a variety of greetings intended to trick users into allowing them into their own computers. It is common for the infected attachment name to contain a double-extension such as doc.pif.
The worm only affects Windows PCs and a patch is available from antivirus vendors.
See also:
All Enterprise Security Technology
del.icio.us
Digg this
reddit!
