The Bugbear/Tanatos mass-mailing worm takes advantage of a vulnerability so well known that Microsoft released a patch to fix it a year ago. This worm installs a keystroke-logging Trojan and a backdoor on Windows systems, so it is a dangerous nuisance that needs to be taken seriously.

According to Symantec, the worm comes in the form of a 50-KB C++ e-mail attachment with various names and an extension of .exe, .scr, or .pif. The executable code is embedded in an HTML e-mail and the vulnerability in IE 5.x causes the program to run automatically when the e-mail is opened. The worm uses its own SMTP engine and addresses harvested from the infected system’s databases to generate a mass mailing. Bugbear will also attempt to compromise security on the infected system.

Within just a few days, this infection spread so quickly that Symantec increased the threat rating of this worm twice.

This infection attacks a system through unpatched versions of Internet Explorer 5.01 and IE 5.5 installed on any Windows operating system. Browsers running on Macintosh, Linux, and UNIX systems are not vulnerable to this threat.

Risk level—high
This is a widely distributed worm with a dangerous payload. Despite the fact that most systems should be fully protected by a patch or antivirus software, Bugbear has quickly surpassed Klez, SirCam, and all other recent malicious attacks on MessageLabs’ list of most commonly encountered viruses and worms.

A lot of copies of this worm are floating around, so your users are likely to encounter it. Once it installs itself on one PC, it can spread through network connections as well as e-mail messages.

Mitigating factors
If you have applied the latest IE patches to your systems or are using IE 6, this attack won’t succeed. Also, any recently updated antivirus software should block this attack.

To block the attack, apply the Microsoft patch. The initial report on this vulnerability is Microsoft Security Bulletin MS01-020, which was originally posted on March 29, 2001. But the patch in this bulletin has been superseded by the IE 5.01 and IE 5.5 patches listed in MS01-027, so you should look at both bulletins and evaluate your options before applying a patch. Cumulative patches have also addressed this threat.

Your other option is to upgrade to IE 6 or above.

To fix an infected system, use an antivirus program to remove the virus and then apply the patch.

When the attachment is opened, Bugbear determines the operating system version and creates copies of various malicious programs in different directories, depending on the OS. Antivirus software should remove any malicious files, but Bugbear will also create other files that must be removed manually. These are listed in detailed reports on this infection, such as the one found on Symantec’s site. The Symantec report on this infection also lists about 100 programs (such as antivirus applications and firewalls) that the worm searches for and attempts to disable every few seconds.

Listing A shows possible subject headers for the e-mail attack.

As you can see, a number of these subject lines look innocent enough to trick users into opening the e-mail. Further temptation comes from the fact that the message will appear to come from a known source because the worm spreads using addresses found on user systems in the current inbox or taken from a number of database files that commonly contain e-mail addresses.

The Mitre identifier for this MIME vulnerability is CVE 2001-0154, and the BugTraq identifier is 20010330, “Incorrect MIME header can cause IE to execute e-mail attachment.” You can find more about this infection in this CNET News report and by reading some additional commentary at

Final word
The lesson from Bugbear is clear. We can blame Microsoft for poor security—and it often deserves criticism. But IT professionals must take a large share of the blame if this worm infects systems they are responsible for. Microsoft was on top of this vulnerability 18 months ago, and anyone who consistently neglects to maintain critical patches on their systems should reevaluate their procedures.