I-Worm/Bugbear virus

I'm trying to help a friend with his Dell computer, running Windows XP. He is unable to access any of his desktop icons and told me that he had a virus. Another friend suggested that he download AVG and run the program. He did and found infected files, which he said he deleted.

Any ways, I now have the computer to try and fix it. This is what I get. Upon starting the system, after the desktop comes up, I get the following virus alert:

AVG Resident Shield
Virus
Virus identified I-Worm/Bugbear

is found in file
C:\Documents and Settings\Nick xxxxx\Start Menu\Programs\Startup\cgc.exe

To remove this virus, please run AVG for Windows.

I finally get in and it finds 28 infected files and 28 viruses removed by healing. No files moved to Virus Vault and no viruses still on device. I checked the vault and it lists 636 files. I restart the system and try to access the icons again. As before, the programs can't be access because it "can't be found ". Some of the programs I can access if I right click on the icon and choose "run as ". I leave it at "current user" and hit OK. The program will open then. I have tried making new icons, but that does not help. I just checked the Virus Vault again and now it says that there are only 32 files in there.

I have tried to get into System Restore, regedit, and msconfig. I even tried to access a floppy with the Bugbear repair tool from Norton. Exploring the drive shows the program, but when I double click the icon, it says that the drive is not accessible.

At this point, I'm assuming that he must have deleted something important. Is there any options here? Saving personal data would be a plus obviously. Like Win98, is it possible to install XP over itself without losing anything? I'm new to XP so I'll try anything.

Mike

 

I'm not running XP, but from reading this board. You have to disable the restore feature of XP before trying to fix this. The virus has buried itself in the restore. I'm sure others will chime in.

 

I do not use XP but the quote above makes 100% sense.

And even with Win98 the virus may very well be contained in the RB00X.CAB files that it makes.

BillyBob

 

aleekat & BillyBob,

Thanks for the suggestion. I did read that but I can't get into the part that allows me to do it. According to help files, I need to right click on My Computer and go into Properties. When I do that, all I get is an error and it won't let me in. Any thoughts on how to get into it?

Mike

 

Mike

Yes you can do an overlay (repair) install of XP. I can advise you there if you decide to go that route. There are several considerations before doing this.

1. Is it XP home, does he have the CD?
2. Does he have the Activation number (XP serial #,key)?
and a few more things to consider.

Even if you did a repair install it would not destroy the Virus and may therefore not fix the problem. Additionally you may "HAVE" to reinstall after cleaning this virus!

My suggestion.

First see if it will boot to Safe mode? (hit F8 key while booting at the progress bar).

Hopefully you can get to safe mode and have desktop access.

If you can get to safe mode then try the following:

On a another computer download each of the following programs and get them each on a floppy. Then take to the infected computer and execute each in the order that I give to download.

Special Virus cleaners (none of these require install , they run directly)

These are the Delta force for only the newest and most prolific viruses today.
Use these if it is possible that a virus may have disabled your regular scanner.
For a quick clean, and then if they find and clean anything do a full deep scan with a full-fledged scanner.
If you suspect a virus has disabled your regular scanner you should do 3 things

1. Download STINGER and PQREMOVE and SysClean and run them. NOTE: always download them do not run an older one that you have had; these are updated almost daily.

2. Do an online dedicated Trojan/worm scan and online regular virus scan when you get back to full.

3. If your virus scanner was up to date, and "IF" either of above finds a virus then it is possible that your virus scanner has been disabled. You should completely uninstall and reinstall your virus scanner update it and run it in full mode with max settings.

Stinger http://vil.nai.com/vil/stinger/

PQremove http://www.webmasterfree.com/software/2911.html

SysClean http://www.trendmicro.com/download/tsc.asp

I would run these 1 after the other to be sure even if one finds and remove it. Besides there may be other Viri on the computer.

Mike

 

Hi MM,

In addition to Mike's suggestions:

I see you already tried running the Symantec's FxBgbear.exe removal tool from a floppy disk.

What happens if you download (or copy) the removal tool to the hard drive, then run it from the hard drive?

More information/ bugbear removal tool links here:
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
http://www.mcafee.com/anti-virus/virus_removal/bugbear.asp

According to the above pages, the virus installs a trojan program that will allow a hacker access to the system to delete files and copy files to the system, among other things.

About those programs that no longer start from the desktop icons. Are you talking about Windows XP programs or 3rd-party programs? I'm assuming you checked the desktop shortcut properties and tried to run the .exe file directly?

If the programs that no longer run have had crucial files deleted or replaced then your friend may have to reinstall those programs once the virus damage is repaired.

PS You say you are unable to Right-click My Computer and select Properties, to access the System Restore tab - see
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 t

I don't know about WinXP but in Win9x you can access the same place (System properties) from Control Panel, System. A WinXP user can help you more on that.

 

10-4 again relying on Alice's sharp eyes made me notice this. The difference here may be safe mode. You were trying in normal/full mode.

Additionally if this does not work in safe mode then try to get a command prompt in safe mode by putting the floppy in the a: drive then typing

start-run

type
cmd

then
a:

then the name of the bugbear fix tool, and if that works all the other programs I linked to you!

mike

 

Hi Mike,

I addes my PS about disabling system restore while you were posting!

Here are symantecc's instructions for running the bugbear fixit tool from a floppy, from the page at http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html
=======copy/paste==========
How to run the tool from a floppy disk

1. Insert the floppy disk that contains the FxBgbear.exe file in the floppy disk drive.
2. Click Start and then click Run.
3. Type the following and then click OK:

a:\fxbgbear.exe

NOTES:
o There are no spaces in the command a:\fxbgbear.exe
o If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.
4. Click Start to begin the process, and then allow the tool to run.

 

My thinking. I may be wrong or way out of line. But I see possible problems in the future.

BTW. I myself DESPISE even suggesting a Reformat and start over but I think this is case where it might be the best thing to do.

There is no way ( at least I do not know of one ) to make sure the Trojan has not invaded other partitions ( if they exist )

If the above in indeed true then I myself would be VERY LEARY of anything other than a complete system format and rebuild.

But by the machine being a Dell I can not ( and won't ) say how to do this.

And by reading the original post I have a feeling that some SERIOUS damage has been done already.

I have tried to get into System Restore, regedit, and msconfig. I even tried to access a floppy with the Bugbear repair tool from Norton. Exploring the drive shows the program, but when I double click the icon, it says that the drive is not accessible.

That is not good.

And if the System restore folders(s) are still on the drive(s) they can be dangerous if there is no way of getting rid of them thru the System Restore function. Or what ever the thing is in XP.

BillyBob

 

BB

I have fixed many BugBear infections sucessfully, but in 98 not XP!

There is some hope! If it can be eradicated to the point of full mode coming back to normal operation a couple of specialized trojan/worm scans and a M$ update or 2 and it is possible!

Mike

 

aleekat, BillyBob, mflynn, & Alice,

An update. A little later then I wanted- busy weekend so far.

Things are back and working just fine. Not only did he have the bugbear virus, but I also found the W32.Lentin virus. That is a variant of the W32.Yaha@mm virus. All virus have been cleaned out, no reload neccessary.

I tried restoring "Last Known Good Configuration ", in SAFE mode, but that didn't change anything. I then ran the Stinger, PQremove, and SysClean antivirus programs.

The Stinger program did not run. I got the message "Windows cannot find 'A:\stinger.exe ". Make sure you typed... It shows up when I explore the disk though.

The PQremove found the Lentin virus and repaired it.

The SysClean program didn't find anything.

I ran the FxBgbear floppy that I made and it came back clean.

I cleaned out the case, scandisked, defragged, and ran AVG once again. He is now able to access all programs, and their icons, with no problems.

I don't think that he used any antivirus before, so this is a lesson learned on his part. He got lucky this time. I updated his AVG definitions and will remind him to keep it updated and on.

Thanks for all the help!

Mike

P.S. Alice, I did try copying the bugbear tool to the hard drive. It had no effect. Still could not run it.

 

Well that is very good news.

And you may well be quite correct in saying " He lucked out this time. "

BB

 

Fantastic Mike

How did you get them to run, in Safe Mode as I suggested, or find a way in normal mode.

Redownload the ones that did not run so they will be handy if another problem. They must have become curupted in the copy process to the floppy!

Additionally because of the nature of this particular trojan I would do a dedicated Worm/Trojan scan to make sure it is not laying quitely for now.

http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck

or/and

The Cleaner from http://www.moosoft.com

One of the best dedicated trogan/Worm scanners.

Mike

 

Good job, MM. Also thank goodness Mike gave you the link to PQremove since the problem with the exe files was because of the Yaha virus: See http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.yaha@mm.html
"the worm modified the registry so that you cannot run .exe files "

 

Mike,

I ran the programs in SAFE mode. Sorry I forgot to mention that. Thanks for the additional links. I will pass them on to my friend and have him run the tests.

Alice,

The Yaha virus was the biggie. As it states, .exe files were definitely affected.

BillyBob,

If only we were all that lucky!

Mike

 

Mike, you said " Redownload the ones that did not run so they will be handy if another problem. They must have become curupted in the copy process to the floppy! "

The stinger program probably didn't run because it was an .EXE file
MM said, " The Stinger program did not run. I got the message "Windows cannot find 'A:\stinger.exe "
The PQremove is a COM file.(pqremove.com from the download link) and MM said that the third program (SYSCLEAN.COM) ran, but didn't find anything.

A followup on the Yaha virus, for the record:

Symantec has a FixYaha.com tool (It's a COM file because Yaha prevents EXE files from running). See http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html

F-Secure has a YAHATOOL.COM and a Yahafix.reg file, available here:
http://www.f-secure.com/v-descs/yaha_e.shtml

 

10-4 Alice

Thanks Alice! I had not been aware of the yaha.reg!

But for everyone's info in this case an exe file can be renamed to a com and will still work. Stinger.exe to Stinger.com!

Mike

 

Hi Mike,

On changing the EXE extension to COM:

I saw on Symantec's site that you would rename regedit.EXE to regedit.COM to do a manual registry edit on a Yaha infected pc. Guess that works!