How do you know if you've got BugBear virus?
11 October 2002, 04:48 PM
#1
Scooby Regular
Thread Starter
Don't think I've got it, but just being a bit wary...
What are the symtpoms etc?
Is it wirth running the bugbear antidote (from Norton) just in case, or will it screw up my PC?
TIV
Dan
What are the symtpoms etc?
Is it wirth running the bugbear antidote (from Norton) just in case, or will it screw up my PC?
TIV
Dan
11 October 2002, 04:57 PM
#3
Scooby Regular
Join Date: Oct 1998
Location: London
Posts: 4,891
Likes: 0
Received 0 Likes
on
0 Posts
11 October 2002, 05:14 PM
#6
Scooby Regular
Join Date: Apr 1998
Posts: 1,864
Likes: 0
Received 0 Likes
on
0 Posts
For those that haven't checked it out yet....
The symptoms are
Port 36794 TCP open
Existence of the following files (* represents any character):
%WinDir%\System\****.EXE (50,688 or 50,684 bytes)
%WinDir%\******.DAT
%WinDir%\******.DAT
%WinDir%\System\******.DLL
%WinDir%\System\*******.DLL
%WinDir%\System\*******.DLL
Large Print jobs sent to network printers. The full printout caused by a copy of the worm in the printer queue can take about 500 pages. They are mostly blank with only one-two lines of random symbols on each page. The very first page starts with "MZ" followed by about 18 funny symbols and a string "=!This program cannot be run in DOS mode". Another visible printed string close to the beginning is "Rich5".
The symptoms are
Port 36794 TCP open
Existence of the following files (* represents any character):
%WinDir%\System\****.EXE (50,688 or 50,684 bytes)
%WinDir%\******.DAT
%WinDir%\******.DAT
%WinDir%\System\******.DLL
%WinDir%\System\*******.DLL
%WinDir%\System\*******.DLL
Large Print jobs sent to network printers. The full printout caused by a copy of the worm in the printer queue can take about 500 pages. They are mostly blank with only one-two lines of random symbols on each page. The very first page starts with "MZ" followed by about 18 funny symbols and a string "=!This program cannot be run in DOS mode". Another visible printed string close to the beginning is "Rich5".
Trending Topics
11 October 2002, 07:41 PM
#8
Scooby Regular
Join Date: Aug 2001
Location: Republic Of Mancunia
Posts: 2,474
Likes: 0
Received 0 Likes
on
0 Posts
I've had it. E-Mail wasnt working on of the PCs at work, went to see, and was totally baffled. Whilst checking the normal stuff, noticed Norton wasnt running. So I started it, and a few seconds later, it closed itself, repeat 2 or 3 times before I got suspicious and checked the symantec site.
Recieved it in e-mail 5 times now, and all 5 were from computery related websites, most from aspsql.com and one from someone claiming to be something to do with internic.
Recieved it in e-mail 5 times now, and all 5 were from computery related websites, most from aspsql.com and one from someone claiming to be something to do with internic.
12 October 2002, 10:14 PM
#9
Scooby Regular
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes
on
0 Posts
We've had it attempt to come into our work premises. Luckily all our email is screened at the ISP, and they use 3 virus scanners + they're own heuristic one. Bit worrying tho if that had got to one of the "less pc literate" users and managed to disable the desktop AV.
Andy
Andy
Thread
Thread Starter
Forum
Replies
Last Post