Bugbear worm - how it works

Bugbear arrives via email with no distinct characteristics except for an attached file that is always 50,688 bytes long. The subject line and text may be taken from existing email. Bugbear also arrives through network file sharing.

When run, Bugbear adds itself to the System subdirectory of the Windows folder as four random letters followed by .exe (for example, windows\System\zayb.exe). It also changes the Registry in order to run each time Windows is loaded, once again using random letters.

Finally, it adds itself to the Startup folder as three random letters followed by .exe (for example, Startup\zay.exe). The Trojan horse part of this worm first terminates many popular firewall and antivirus programs. The Trojan then launches a keystroke-logging program whose filename is a variable number of random letters followed by .dll (for example, avbxcydz.dll). Keystroke-logging programs memorize the keystrokes typed when filling out login information (passwords) or filling out shopping forms online (credit card information).

Files saved by these programs can later be accessed remotely by malicious users. The Trojan component of this worm opens port 36794.

Prevention
Users of Internet Explorer 6 should be safe from the email portion of this worm. Users of IE 5.01 and 5.5 who have not installed the Infected Mime header patch found in MS01-020 should do so. If you do not need to share files on a network, you should also turn off file sharing within Windows.

Removal
A few anti-virus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system.

Jeanne-Vida Douglas and Robert Vamosi write for ZDNet.com.