About BugBear
Also known as: W32.Bugbear@mm, W32/Bugbear-A, W32/Bugbear.A@mm,
W32/Bugbear.worm, W32/Tanat, W32/Tanat-mm, Win32Bugbear, Worm/Tanatos,
WORM_NATOSTA.A
This worm has the ability to spoof, or forge, the 'From:'
field. (Often set to an address found on the victim's
machine). Additionally the virus can use a fabricated from
address, by taking the name before the "@" sign of
one address, and the domain name after the "@" sign
of another address. (ie. name1@domain1.com + name2@domain2.com
= name1@domain2.com)
This virus is written in MSVC and packed with UPX. It
affects systems running the Windows operating system. It does
not affect MacOS or Linux environments. It spreads via network
shares and by emailing itself. It also contains a backdoor
trojan component that contains keylogging functionality.
......
Variants:
Removal Instructions
Automatic Removal:
BugBear can be detected and removed
AUTOMATICALLY
by McAfee
VirusScan.
Once infected, VirusScan may not be able to run as the virus
can terminate the process before any scanning/removal is
accomplished.
The following steps will circumvent the virus and allow for
proper VirusScan
scanning/removal, by using the command-line scanner.
- Ensure that you are using the minimum DAT (specified
above) or higher
- Close all running applications
- Disconnect the system from the network
- Click START | RUN, type command and hit ENTER
- Change to the VirusScan engine directory:
- Win9x/ME - Type cd
\progra~1\common~1\networ~1\viruss~1\40~1.xx and
hit ENTER
- WinNT/2K/XP - Type cd
\progra~1\common~1\networ~1\viruss~1\4.0.xx and
hit ENTER
- Type scan.exe /adl /clean and hit ENTER
- After scanning and removal is complete, reboot the
system and reconnect to the network
Additional
Windows ME/XP removal considerations
Sponsored Links:
Removal Instructions for Other Worms
| 
