A new e-mail-borne virus variously known as "Tanatos," and "W32/Bugbear," is being circulated as an e-mail attachment and appears to target machines running Microsoft operating systems, according to alerts issued by a number of computer security companies.

The virus file is attached to e-mails with a wide variety of subject lines such as "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift," and appears to use randomly-generated names to avoid detection by antivirus software, as well as multiple file extensions to disguise the fact that it is an executable file, according to Vincent Gullotto, vice president of the McAfee AVERT (Anti-Virus Emergency Response Team) at Network Associates.

Once activated, the virus shuts down scores of vital processes used by Windows and by antivirus software, records user keystrokes, opens a backdoor to the infected machine for use by attackers, and attempts to mail copies of itself out to other users, randomly generating new subject lines and virus executable names as it does, according to Gullotto.

Despite receiving numerous copies of the virus from customers and partners, however, antivirus researchers at AVERT have been unable to get the mail function of the virus to work, said Gullotto.

"All samples we've seen may not be the result of a mass mailing produced by someone launching the virus. We could just be witnessing the seeding of the virus, by the author, rather than evidence that it's working on other systems, " said Gullotto.

The new virus takes advantage of a known vulnerability in Microsoft's Internet Explorer versions 5.01 and 5.5 that allows attackers to embed malicious code in the header of an improperly formatted HTML message that could cause e-mail clients such as Outlook to automatically launch attached executable files.

Microsoft addressed the issue in Service Bulletin MS01-020 and issued a patch for the vulnerability in March of 2001.

The fact that the virus targets a known and patched vulnerability, coupled with its apparent inability to mail itself makes security experts such as Gullotto doubt that this new threat will spread too widely.

"At this point (AVERT) is rating this a medium risk. We don't expect it to be a big issue."

Still, Gullotto advises users of Internet Explorer to make sure that they have applied any available security patches. Users of Internet Explorer version 5 are particularly vulnerable to infection by Tanatos, he said -- especially if they are not blocking e-mail attachments.

And, as with all new viruses, the appearance of Tanatos points to the need for IT managers to take a hard look at vulnerabilites in their network infrastructure.

"People need to revisit their security policies and practices," said Gullotto.

"I know that it's a lot of work to stay on top of these patches -- Microsoft released 50 of them this year alone. But you have to weigh your risks--are you going to do nothing and wait for something to happen, or are you going to find a way to incorporate patching into your processes?"

By Paul Roberts
September 30, 2002