Print

Print


Mac users cannot be infected by Bugbear.B or its associated
PWS.Hooker.Trojan.



On Fri, 6 Jun 2003, Meredith Woodward King wrote:

> Are Mac users (as usual) safe from this?
>
> In other words, is it directed at Windows users, especially those using
> Outlook?
>
> Meredith
>
> On Friday, June 6, 2003, at 10:09  AM, awestber wrote:
>
> > >From our understanding of the virus, the Bugbear infects and
> > sometimes replaces legitimate applications such as Acrobat Reader,
> > Media Payer, etc with itself.  If the virus replaces the original
> > file, then original file is deleted and replaced with pure virus.
> > In such a case, the application can not be cleaned it must be deleted.
> >
> > See the description of the virus at
> > http:[log in to unmask]
> >
> > Here is a list of the files that it targets:
> >
> >
> > Local and network file infection
> > scandskw.exe
> > regedit.exe
> > mplayer.exe
> > hh.exe
> > notepad.exe
> > winhelp.exe
> > Internet Explorer\iexplore.exe
> > adobe\acrobat 5.0\reader\acrord32.exe
> > WinRAR\WinRAR.exe
> > Windows Media Player\mplayer2.exe
> > Real\RealPlayer\realplay.exe
> > Outlook Express\msimn.exe
> > Far\Far.exe
> > CuteFTP\cutftp32.exe
> > Adobe\Acrobat 4.0\Reader\AcroRd32.exe
> > ACDSee32\ACDSee32.exe
> > MSN Messenger\msnmsgr.exe
> > WS_FTP\WS_FTP95.exe
> > QuickTime\QuickTimePlayer.exe
> > StreamCast\Morpheus\Morpheus.exe
> > Zone Labs\ZoneAlarm\ZoneAlarm.exe
> > Trillian\Trillian.exe
> > Lavasoft\Ad-aware 6\Ad-aware.exe
> > AIM95\aim.exe
> > Winamp\winamp.exe
> > DAP\DAP.exe
> > ICQ\Icq.exe
> > kazaa\kazaa.exe
> > winzip\winzip32.exe
> >
> >
> >
> >
> >
> > On Friday, June 6, 2003, at 09:05  AM, Andrew Hendrickson wrote:
> >
> >> Okay, not sure if this is something we can control or not, but the
> >> current NAV settings pushed out to clients are way too overzealous.
> >>
> >> What's happening is that apparently NAV thinks it's unable to clean
> >> the BugBear virus from the legitimate Windows files that it gloms
> >> onto, thus instead of the usual process whereby the file ends up
> >> quarantined, NAV immediately deletes the file after a lame attempt at
> >> cleaning it.  This means that important Windows files such as Acrobat
> >> Reader, Media Player, the Netware client, Notepad, etc, get
> >> immediately canned.  If we can control this, please shut it off, and
> >> put Norton back into quarantine mode before we have literally
> >> hundreds of Windows machines rendered inoperable.
> >>
> >> The free Stinger util from http://vil.nai.com/vil/stinger/ quite
> >> handily cleans the virus from all legit Windows files.  I don't see
> >> why NAV can't do the same?
> >>
> >> If your machine is infected, pay close attention to what NAV is
> >> doing.  If you've been infected for a while, legit Windows files will
> >> be deleted by NAV.
> >> First download Stinger.  Then restore those deleted files through the
> >> NAV Backup window, then immediately reboot in safe mode (ask your
> >> local support tech if you don't know how to do this), which disables
> >> NAV, and then run Stinger on a full scan starting at c:\.  Stinger
> >> will clean the files that NAV wanted to delete and off you go, a hard
> >> lesson learned.
> >>
> >>
> >> --
> >>
> >> ----------------------------------------------
> >> Andrew Hendrickson
> >> Information System Analyst
> >> College of A & S Computing Services
> >> UVM
> >> 479 Main Street, Room 302
> >> Burlington, VT 05405-0144
> >>
> >> (802) 656-7971
> >> Fax (802) 656-3018
> >> [log in to unmask]
> >>
> >> For faster service, use our online request system:
> >> http://footprints.uvm.edu/ashelp.html
> >>
> > April Westberg
> > Computing Analyst
> > CIT Client Services
> > University of Vermont
> >
>