General Discussion - Recovering from the BugBear virus ...

Author

Recovering from the BugBear virus ...

Ando

2002-10-10, 7:07 am

Lo,

One of my clients was infected by the bugbear virus there last week. Luckly, symantec had a removal tool available to download at http://securityresponse.symantec.co...er/FxBgbear.exe

anyway, I applied the removal tool to all the computers on the network while they were disconnected from the network and the virus was removed fine.

Yesturday i got a call saying that since I had been in last week, there has been no bugbear infections since, but 3 computers (win98 and 2 win95) are having intermitted printing problems. this is the error:

http://www.nets2.com/misc/print_error.jpg

I've reinstalled the printer onto the server with new drivers from HP, and shared out the printer on the server for the network and reinstalled onto the workstations, but problem persists ?? If they restart their computers, the printer works for another 10mins or so, but then the problem reappears?

any ideas, could the bugbear removal had deleted some system files

twister166

2002-10-10, 7:19 am

Try to remove the swap file and let windows recreate one, sometime it helps... one other thing, you can do it remove the NIC driver and reinstall the network environment... the problem could be related to the redirector... good luck

KiwiPete

2002-10-10, 11:32 am

I had the same problem on our network.

Before the virus was added to Norton's definitions, some (l)user received an email with an html attachment (which we don't block).

He clicked on the icon, which took him to a blank web page.

Bugbear is a password-stealing virus. We only discovered it because one of our printers was printing out pages of crap.

It also uninstalled Norton Virus Scan on the affected workstation. I know it was there before and the Uninstall function is password-protected from the Exchange server.

I checked the logs on the print server & found that the last print job on that particular machine was by a user that doesn't have permissions on that machine.

Because the printer has it's own IP address, the virus took it as just another PC & tried to log on to it.

That's where the printing problem occured.

So you need to find out what users have been printing to that machine (regardless of their permissions) and change their passwords.

That's what I did with our user. Then I updated the definitions on that machine & ran virus scan again.

No other users were infected.

Also wouldn't hurt to run Ad-Aware on the affected machine(s).

Don't forget to give the (l)user a lecture on opening attachments.

Ando

2002-10-10, 5:11 pm

ok, thx for the help guys, I went back today and booted the machines into dos and deleted the win386.swp file, restarted and the problem has'nt appeared so far .. fingers crossed

KiwiPete, i was curious what you meant by:

quote:
So you need to find out what users have been printing to that machine (regardless of their permissions) and change their passwords.

are you talking about how you got rid of the virus or are you trying to tell me what I should do to sort out this printing problem? lol

KiwiPete

2002-10-10, 5:41 pm

No, that's how I discovered which workstation was causing the printer to go mad.

At that stage, the bugbear virus hadn't been identified by Norton.

I went to the print server logs to see who the hell was wasting all the paper.

Once the virus info had been posted on the various virus info sites, that's when I realised what had happened & changed the user's password.

Your mention of bugbear & printing problems made me think of my own bugbear problem.

Ando

2002-10-10, 5:53 pm

ah right, now I understand

Ando

2002-10-22, 3:04 pm

this problem has got worse, client emailed me today saying the problem is worse than ever now, the problem has spread to a number of different pc's and is effecting a second printer

I wonder if there is another virus going around, cause they have mcafee (which only kinda works), not symantec.

Sponsored Links