A new version of the Bugbear virus is spreading quickly on the internet, according to alerts posted by leading antivirus companies.
The new variant, called Bugbear.B, was first detected yesterday and shares many of the same characteristics as the first Bugbear virus, which appeared in September last year and was also known as 'Tanatos', according to Finland-based antivirus company F-Secure.
At least one antivirus company, Network Associates, upgraded its rating on the new virus to 'high', the first virus since Slammer to achieve that rating, according to a spokeswoman for Network Associates' McAfee business unit.
Like the first Bugbear virus, the Bugbear.B is an email worm, which spreads by sending copies of itself out as attachments in email messages.
Like its predecessor, Bugbear.B attempts to exploit known vulnerabilities in Microsoft Outlook, Outlook Express and Internet Explorer products that enable attachments to be automatically opened at the same time the email containing them is accessed, according to antivirus company Sophos.
Also like the first Bugbear, Bugbear.B is a messy virus that makes a number of modifications to the systems it infects while dropping copies of programs that can snoop on a user's activity, infecting common Windows applications and opening a back door that could be used by hackers, according to Sophos.
Bugbear.B is also capable of detecting and shutting down antivirus programs that it finds running on the systems it infects, Sophos said.
The Bugbear.B virus arrives in email messages with a variety of subjects such as 'Your news Alert', 'Your Gift', 'click on this!' and 'cows'.
In addition to pulling subjects from a list it maintains internally, the virus randomly extracts content from files on the hard drives of computers it infects and uses that information to supply the subject line for messages carrying the virus, according to David Emm, marketing manager for McAfee Avert.
Like the subject line, the email attachment containing the virus code also uses a variety of names chosen from a list maintained by the worm or grabbed from files on the infected host computer.
Attachments use a variety of file extensions including EXE, SCR and PIF and names such as Readme, Setup, Photo and News according to F-Secure.
Bugbear.B also contains address spoofing features that enables it to pull email addresses skimmed from files on the infected computer and insert them in the 'From' line of the emails it sends out.
Recipients might be tricked into opening the message from a trusted source, and can also be fooled into thinking that the sender's machine has been infected with Bugbear.B when another machine is really the source.
Unlike the first Bugbear virus, however, the new variant is 'polymorphic', meaning it is capable of subtly changing the way the virus code is encrypted to fool antivirus software.
"There's a potential danger with polymorphic viruses that if you don't construct your virus detector properly, you could miss some samples," Emm said.
McAfee Avert first detected the new Bugbear variant on Wednesday, upgrading it to a medium risk and then to a high risk on Thursday as the number of reported infections mounted.
Antivirus companies recommended that customers update their antivirus software to protect against Bugbear.B. Instructions and tools for removing the virus from infected machine were also provided by leading antivirus vendors.