Bugbear's Back

A new worm that exploits an unpatched vulnerability in Microsoft's Internet Explorer was discovered Tuesday by several security firms.

Bugbear.e, also known as Tanatos.e and PWSteal Hooker, spreads via E-mail, uses a hole in Internet Explorer first discovered in February, and can steal confidential information from infected computers.

Bugbear.e arrives as an E-mail message--it spoofs the From: address by hijacking addresses from already-compromised Windows machines--that can sport a wide variety of subject headings, including "Introduction," "My eBay ads," and "Your News Alert."

The payload, which can come as a .zip attached archive file or as a MIME HTML file, infects the system when the .zip file is opened, or when the HTML message is viewed. The latter technique exploits the as-of-yet-unpatched IE vulnerability to infect users smart enough to know not to launch an attached file.

"Bugbear.e includes a new zero-day vulnerability exploit that just surfaced in the wild in February of this year," Ken Dunham, director of malicious code research at iDefense, said in an E-mailed statement. "If the hostile .htm file is executed, the worm silently installs itself on the computer."

Like other malware, Bugbear disables a wide range of in-memory programs, particularly personal firewall and anti-virus software, including the BlackIce and ZoneAlarm firewalls, and F-Secure's and Symantec's anti-virus defenses.

If it manages to sneak onto a system, Bugbear loads a keylogger to track keystrokes, then transmits the results--which can include passwords and user names entered at the keyboard--as well as the contents of the Windows clipboard and E-mails to the hacker's remote Web site.

Bugbear.e is the most recent variant in the worm line. The last iteration appeared in 2003 and targeted more than 1,000 financial institutions, stealing confidential information from users' machines, Dunham said. During 2003, Bugbear struck hard enough to cause security firm Symantec to raise its threat level to a "4" on its 1-through-5 scale--Symantec has never assigned a worm or virus a "5."

Anti-virus firms have already posted virus definition updates to account for the new worm. Most security companies tag Bugbear.e as a low-level threat. Symantec has assigned it a "2" in its alert scale, while Network Associates labeled it with a "low" ranking.