Bugbear Virus Eradicated

Posted: 2002 Nov 08 18:47 UTC

A mass-mailing worm known as W32.Bugbear@mm recently infected Leif's mother's computer and it was up to our valiant hero to save the day.

It all began with Leif's father mentionning that he received an e-mail from Leif's mother where the e-mail address before the "@" was correct, but the ending was not. (For example, receiving "leifsmom@cheese.net" instead of "leifsmom@cracker.com".) The body of the message cut off mid-sentence.

A couple days later, Leif himself received an e-mail where the "From:" was incorrect. (For example, "leifsmom@aol.com".) There was also an attachment which was not present in his dad's e-mail, most likely due to his dad having McAfee VirusScan.

Our hero was struck by a few peculiarities that prevented him from double-clicking the e-mail. First, the "From" field was incorrect. Second, the "Subject" was the same as a previous e-mail from his mother. Also, the attachment was named "earth.ico.scr", mimicking an icon file that is stored locally on his mother's computer. "Also I think the 'To' field was blank, but I can't remember," said Leif.

He right-clicked the item and looked directly at the message source and found that the body of the e-mail was identical to a previous e-mail but the text was cut off in the middle of a sentence.

Leif read up briefly on virus scanners and noted a recent outbreak of Bugbear. Then he went to work at his parents' house.

"I immediately noticed that any virus software I used would shut down after a few seconds. It seemed like the virus was fighting me for control," said Leif in an email interview this week. "There was really nothing I could do, so I started to back-up the files."

The break-through came as he went back to reading online at the Symantec website (Symantec Security Response). "I was reading about Bugbear and noticed that I was having all the problems that they were talking about." The site started listing all the affected files and where to find them. Then it gave a program that would wipe it off the infected system.

"I went back to my mom's machine and lo and behold, the files were where they were said to be," said Leif. The virus file was "c:\windows\system\jyjm.exe", though it seems to be a random name and not always the same for everyone. The file was exactly 50688 bytes.

"It was a thing of beauty to track down the virus and destroy it."