W32/Bugbear-B disinfection instructions and FAQ
The Bugbear-B virus (also known as W32/Bugbear-B) spreads by sending itself in emails, and by copying itself across networks. It is based upon the original Bugbear worm (W32/Bugbear-A) which was the second most commonly reported virus in 2002. However the new version has a new trick up its sleeve - it is polymorphic, meaning it changes its appearance in an attempt to avoid detection.
1. How do I get rid of W32/Bugbear-B?2. Which systems are affected?
3. How did my computer become infected?
4. Why are my printers printing out garbage?
5. How do I stop it printing?
6. Do I need to reinstall Sophos Anti-Virus after removing W32/Bugbear-B?
7. I have a 'download only' licence. I downloaded the Bugbear IDE file and now I can't access Internet Explorer or start Sophos Anti-Virus either. What should I do?
8. What will W32/Bugbear-B do to my credit card ?
9. How do I prevent my computer from becoming reinfected by similar viruses in the future?
1. How do I get rid of W32/Bugbear-B?
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Windows 95/98/Me and Windows NT/2000/XP/2003
W32/Bugbear-B can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.
Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.
Windows disinfector
BUGBEGUI is a disinfector for standalone Windows computers
- open BUGBEGUI
- run it
- then click GO.
If you are disinfecting several computers, download it, save it to floppy disk and run it from there.
After removing the virus you should install the Microsoft patch MS01-027 or, on single computers, update with all relevant security patches from Windows update.
In Windows Me and Windows XP you should also purge System Restore.
Command line disinfector
BUGBESFX.EXE is a self-extracting archive containing BUGBECLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.
After removing the virus you should install the Microsoft patch MS01-027 or, on single computers, update with all relevant security patches from Windows update.
In Windows Me and Windows XP you should also purge System Restore.
Other platforms
To remove W32/Bugbear-B on other platforms please follow the instructions for disinfecting PE executable viruses.
If you have any problems removing W32/Bugbear-B after following these instructions, please contact technical support.
2. Which systems are affected?
- Windows 95/98/Me and Windows 2000/XP are potentially infectable
- Windows NT, Apple-based workstations and other platforms (including PDAs and games consoles) can not be infected with W32/Bugbear-B
If a W32/Bugbear-B infected file is found on a PC, it has been dropped there by an infected PC, or the virus has been executed locally.
3. How did my computer become infected?
W32/Bugbear-B arrives as an email attachment with a double file extension (that is, a file extension, followed by another extension): specfically .EXE, .SCR or .PIF. The filename itself can be anything, as can the email subject line and body text of the email. On a network the W32/Bugbear-B worm can copy itself from computer to computer, both servers and workstations. As a result, your computer can become infected without having received or executed an infected email.
4. Why are my printers printing out garbage?
W32/Bugbear-B attempts to copy itself to any available network resource, including shared printers. Printers cannot become infected. They may, however, start to print out the worm's code. This can potentially waste a large amount of paper, but have no hardware damage.
5. How do I stop it printing?
Firstly, turn the printer off for ten seconds, then turn it on. If it resumes printing out the worm code, switch it off. You may have to clean all computers before switching your printers on again. If you can see the print queue for the network printer, try to clear out all outstanding jobs. If you can't, or if that doesn't work, contact your administrator. You may wish to postpone legitimate print jobs until disinfection is complete.
6. Do I need to reinstall Sophos Anti-Virus after removing W32/Bugbear-B?
W32/Bugbear-B deactivates Sophos Anti-Virus, but does not delete any of its files. After W32/Bugbear-B has been disinfected Sophos Anti-Virus can be restarted. Check that Sophos Anti-Virus is up-to-date: install the latest version of Sophos if you haven't already done so. At the time of writing, the latest version of Sophos Anti-Virus is June 2003 (version 3.70) and is available for download. Add the W32/Bugbear-B virus identity (IDE).
7. I have a 'download only' licence. I downloaded the Bugbear IDE file and now I can't access Internet Explorer or start Sophos Anti-Virus either. What should I do?
W32/Bugbear-B prevents Sophos Anti-Virus from running, but once the virus process has been stopped it can run successfully.
To do this go into MS-DOS mode as described in the disinfection instructions on the W32/Bugbear-B page.
8. What will W32/Bugbear-B do to my credit card ?
W32/Bugbear-B may record keystrokes entered into your computer and may send the details to a remote encrypted email address.
If you are worried that this may have happened, contact your bank directly.
The username and password for your internet or email account may also have been sent and should be changed.
9. How do I prevent my computer from becoming reinfected by similar viruses in the future?
Installing the Microsoft security patch will prevent W32/Bugbear-B and similar viruses from running automatically when viewed.
Keep up-to-date with the latest Microsoft security patches by subscribing to the Microsoft security bulletin and visit Windows Update regularly. If your IT policy allows, you may want to set up scheduled Windows Update access. This can be enabled with later versions of Windows via the Control Panel.
Follow safe computing practices.
![[TOP]](/images/arrowtop.gif){kind=small}
