Bugbear set to topple Klez

After a slow start the Bugbear worm looks set to become the number one threat to computer users, with over 300,000 cases already recorded by MessageLabs.

Experts have indicated that it will become bigger than Klez, which has topped the charts for months but is now starting to fall off as users update their antivirus software.

"This worm started out looking like a slow burner but it's really taken off with a vengeance," said Paul Wood, Virus Eye manager for MessageLabs.

"We'd expected cases to start tailing off but they're going through the roof. We're getting cases logged in faster than we can post the numbers up on the website."

Once installed, Bugbear disables antivirus and firewall software and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll.

Anything the PC user types via the keyboard, such as passwords or sensitive information, is sent to the originator of the worm via the TCP port 36794.

"This worm will be bigger than Klez," said Graham Cluley, senior technical consultant for Sophos.

"Whoever wrote it has effectively launched a denial of service against himself, given the amount of information that must be coming in. We haven't been this busy all week."

The worm also seeks to infect all other PCs on the network via the address book and network shares.

It also takes advantage of a longstanding Microsoft exploit, MS-01/020, as did Klez. A patch for this has been available since March 2001 and can be found here.

Reacting to the worm has been complicated by the fact that it forges headers on the email that it uses to distribute itself.

This leaves the recipient looking at the wrong people when trying to find the source, which has led to help lines being swamped by confused users.

While businesses have been quick to patch their protective software it now seems to be home users who are incubating and spreading the worm, according to Cluley.

Bugbear only affects Windows PCs and a patch is available from antivirus vendors.