Smart Computing Article - How To Get Rid Of BugBear.B

Subscribe Today | Contact Us | Register Now

Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop

How To Get Rid Of…

Email This

Print This
View My Personal Library

How To Get Rid Of… Article Last Reviewed February 2005	Add To My Personal Library
How To Get Rid Of BugBear.B

Description

The Bugbear.B (aka Tanatos.B) worm, which surfaced in June 2003, is a variant of the original Bugbear worm released in the fall of 2002. This is a mass-emailing worm that also spreads through LAN (local-area network) shares, allowing it to propagate across a network. It will not only email itself to addresses found in the infected machine, but it will also go a step further and disable some antivirus and firewall products. As if that's not bad enough, Bugbear.B can also install a keylogger program (potentially grabbing users' passwords and other sensitive information) and then install a backdoor program to allow access to the infected machine from a remote location across the Internet.

The worm spoofs the address of the sender with a random address and uses its own SMTP (Simple Mail Transfer Protocol) engine to send email from the infected computer. The attachment name is a filename borrowed from files found on the infected machine and is known to have a .PIF, .EXE, or .SCR extension. The virus can affect computers running Windows 9x/NT/Me/2000/XP.

How To Tell If Bugbear.B Is Present On Your PC

Bugbear.B will attempt to copy itself to your system's STARTUP folder so that it activates automatically upon the next system restart. The presence of any unusual file names with an .EXE extension (such as XXXX.exe with XXXX representing random letters that the worm chooses) in the STARTUP folder should be considered suspect. For example, the worm may copy itself as C:\WINDOWS\STARTMENU\PROGRAMS\STARTUP\AAbb.exe when it runs on a Win9x/Me-based computer or C:\DOCUMENTS AND SETTINGS\ CURRENT USERNAME\START MENU\PROGRAMS\STARTUP\Ccdd.exe when it runs on a WinNT/2000/XP-based system. After copying itself to the startup folder of the local machine, it will attempt to copy itself to the startup folder of other machines on the network.

Bugbear.B may also install a keylogger and backdoor component with the file name of these components randomly generated with a DLL extension and placed in the C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM directory. The information collected by the keylogger component is placed in two similarly named files, also in the SYSTEM directory.

Bugbear.B will use the backdoor component to listen on TCP (Transmission Control Protocol) port 1080. SOCKS proxy servers quite frequently use port 1080. (Network administrators usually provide these Web servers as a security measure and to provide a faster Web surfing experience.) If your computer is not acting as a proxy server, the presence of activity at port 1080 may be an indication that Bugbear.B has infected your computer. If this occurs, a hacker can then connect to the port 1080 backdoor and perform any of several actions, such as uploading or downloading files, deleting files, or starting the keylogger component. To see if this port is in use, click Start, click Run, type netstat in the Open box, and click OK. This action uses the NETSTAT command (indigenous to all Windows versions) to list all the open connections to and from your PC.

Lastly, Bugbear.B will attempt to copy itself to any available network resource, including shared printers, causing them to print out the worm's code. Presence of this anomaly can signify you've been infected.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin (Registry errors can render your computer inoperable if you don't have a backup). This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."

How To Get Rid Of Bugbear.B With Spybot Search & Destroy

Launch Spybot Search & Destroy and make sure it is up-to-date by clicking the Update button and following the on-screen instructions. (This requires a live Internet connection.) If the program is up-to-date, click the Search & Destroy button to automatically search for Bugbear.B-related files. When Spybot Search & Destroy finds the file on your computer, it creates a listing under the Problem heading and automatically includes a check in the corresponding checkboxes. Scroll through the results to make sure the program didn't identify any legitimate programs as problems; if you find any of these, simply uncheck the corresponding checkboxes. Click the Fix Selected Problems button to have the program remove the unwanted file(s).

How To Get Rid Of Bugbear.B Manually

Because Bugbear.B is a polymorphic worm (capable of changing itself to avoid detection), it makes a number of modifications to the systems it infects and manual removal is not recommended. If you are already infected with this worm, download and install any one of the following Bugbear.B removal utilities, such as Sophos' disinfector (www.sophos.com
/support/disinfection/bugbearb.html) or Symantec's W32.Bugbear.B@mm Removal Tool (securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal
.tool.html). F-Secure also has a removal tool available via an FTP (File Transfer Protocol Site) at ftp.f-secure.com/anti-virus/tools/f-bugbr.zip. Follow the on-screen instructions for whichever removal tool you decide to use.

by Douglas Schweitzer

Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant Trouble Shooting articles from within our Tech Support.

Home Copyright & Legal Information Privacy Policy Site Map Contact Us