From our understanding of the virus, the Bugbear infects and sometimes
replaces legitimate applications such as Acrobat Reader, Media Payer,
etc with itself. If the virus replaces the original file, then
original file is deleted and replaced with pure virus.
In such a case, the application can not be cleaned it must be deleted.
See the description of the virus at
[log in to unmask]" target="_blank">http:[log in to unmask]
Here is a list of the files that it targets:
Local and network file infection
Windows Media Player\mplayer2.exe
On Friday, June 6, 2003, at 09:05 AM, Andrew Hendrickson wrote:
> Okay, not sure if this is something we can control or not, but the
> current NAV settings pushed out to clients are way too overzealous.
> What's happening is that apparently NAV thinks it's unable to clean
> the BugBear virus from the legitimate Windows files that it gloms
> onto, thus instead of the usual process whereby the file ends up
> quarantined, NAV immediately deletes the file after a lame attempt at
> cleaning it. This means that important Windows files such as Acrobat
> Reader, Media Player, the Netware client, Notepad, etc, get
> immediately canned. If we can control this, please shut it off, and
> put Norton back into quarantine mode before we have literally
> hundreds of Windows machines rendered inoperable.
> The free Stinger util from http://vil.nai.com/vil/stinger/ quite
> handily cleans the virus from all legit Windows files. I don't see
> why NAV can't do the same?
> If your machine is infected, pay close attention to what NAV is
> doing. If you've been infected for a while, legit Windows files will
> be deleted by NAV.
> First download Stinger. Then restore those deleted files through the
> NAV Backup window, then immediately reboot in safe mode (ask your
> local support tech if you don't know how to do this), which disables
> NAV, and then run Stinger on a full scan starting at c:\. Stinger
> will clean the files that NAV wanted to delete and off you go, a hard
> lesson learned.
> Andrew Hendrickson
> Information System Analyst
> College of A & S Computing Services
> 479 Main Street, Room 302
> Burlington, VT 05405-0144
> (802) 656-7971
> Fax (802) 656-3018
> [log in to unmask]
> For faster service, use our online request system:
CIT Client Services
University of Vermont