Bugbear infections top 60,000

Infections by the Bugbear worm (also known as Tanatos) have rocketed overnight - but this new threat has had unexpected benefits.

There have been over 60,000 reported cases of the worm, with 22,000 new infections in the last 24 hours, according to antivirus firm MessageLabs.

Asia and the Far East have been the worst hit areas, with the US a close second. Bugbear was first detected in Malaysia.

Jack Clark, of the Network Associates AntiVirus Emergency Response Team (Avert), said Bugbear currently accounts for 30-40 per cent of all desktop infection reports.

"On one level there's no reason why this worm should still be spreading when all the antivirus companies had fixes available within three hours. Users need to be getting virus updates more frequently to keep threats like this to a minimum," he said.

But an unexpected and positive side effect of the virus is that infections by the most prevalent worm, Klez, have dropped as users update their antivirus software to cope with the new threat.

"We're used to seeing about 20,000 cases of Klez infection a day," said Paul Wood, Virus Eye manager for MessageLabs. "This has dropped down to 6,000 and is falling further as people update their systems."

The worm copies itself into the Windows system directory and start-up folder as an .exe file with a random three-letter name.

Once installed it disables antivirus and firewall software and installs a Trojan keystroke logger as a DLL, detected as PWS-Hooker.dll.

Anything the PC user types via the keyboard - such as passwords or sensitive information - is sent to the originator of the virus via the TCP port 36794.

The worm also seeks to infect all other PCs on the network via the address book and network shares.

It also takes advantage of a longstanding Microsoft exploit, MS-01/020, as did Klez. A patch for this has been available since March 2001.

Although the email addresses used to receive stolen key logging data have now been shut down, the worm still leaves users vulnerable to port-scanning software that is freely available to hackers on the web.

The worm only affects Windows PCs and a patch is available from antivirus vendors. A patch for the Microsoft exploit can be found here.