Not available yet
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender Antibugbear-en.exe
tool does the following:
it detects all the known BugBear versions (A and B);
it disinfects the files infected with BugBear;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
If you are running Windows 95/98/Me you will have to apply the following patch
provided by Microsoft to stop the virus from using the Share Level Password
Sorin Victor Dudea BitDefender Virus Researcher
This is an Internet worm that spreads trough e-mail and network shares. It uses the IFRAME vulnerability for launching itself without the user interaction.
It usually arrives in the following format:
Subject: Randomly chosen from the following list:
Get 8 FREE issues - no risk!
Your News Alert
$150 FREE Bonus!
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
CALL FOR INFORMATION!
25 merchants and rising
My e Bay ads
Mark et Update Report
click on this!
Lost & Found
Get a FREE gift!
I need help about script!!!
Correction of errors
Just a reminder
Or any other subject it finds in mail databases.
Attachment: Randomly chosen from the following list:
Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data
with double extension made by the following : Exe, scr, pif.
When the worm has send itself using the infos from other mail it found the attachment can be any file name with .exe, .scr or .pif added to the end.
Body: Can be anything.
When executed the worm checks the mutex w32sharmur to see if it is already in memory. If the mutex does not exists the worm copies itself in STARTUP folder under a random name xxxx.exe and then it exits.
After the computer is restarted the worm drops a Trojan keyloger dll file with random name. That dll is used to capture the pressed keys. It also creates two other dll files in which it stores the captured keys in an encrypted format. Also it creates a dat file where it writes information about the computer settings.
It infects the following files by adding it’s code to the end of the target file and changes the entry point to attached code:
From the program files:
Windows Media Player\mplayer2.exe
From the %windir%:
Also when infecting files it changes the encryption code in order to become harder to detect. At every 20 seconds the worm checks the running programs and if it finds one of the following it terminates it:
It also write itself in all the network shares it finds with the file name Setup.exe.
The worm send itself trough e-mail using the local SMTP settings. The e-mail addresses are taken from the files that contains the following strings: .ODS, INBOX, .MMF, .NCH, MBX, EML, DBX, ini, INI.
If those files are mail databases it tries to find received mails in them and it replies to those emails, changing the original attachments with the virus body and adding one of the following extensions: .exe, .scr, .pif. If the mails don’t have any attachments it takes a name from virus list or from the hard drive and adds it to the mail.
The worm has also the backdoor capabilities. It waits for HTTP connections on port 1080.