RMBGBEAR -------- Version 1.00, October 2002 www.sophos.com 1. Introduction 2. Downloading RMBGBEAR 3. Running RMBGBEAR 4. Deleting other worm files 5. After running RMBGBEAR 6. Additional RMBGBEAR options 7. For further assistance 1. Introduction --------------- RMBGBEAR is a utility for disinfecting the W32/Bugbear-A worm. This worm infects most 32-bit Windows platforms (Windows 95, 98, Me, 2000 and XP). It may be dropped on Windows NT, but has not been observed to run. It can spread by copying itself across networks and by sending out infected emails which exploit MIME and IFRAME vulnerabilities. It also sends itself to printers, which print out its executable code. For details see: http://www.sophos.com/virusinfo/analyses/w32bugbeara.html The tool these notes refer to can be found at http://www.sophos.com/tools/bearsfx.exe W32/Bugbear-A is a worm, it does not infect files. All W32/Bugbear-A files can be deleted. W32/Bugbear-A Very rarely infects Windows NT. Use Sophos Anti-Virus to delete the worm files. In the rare case of actual infection follow the Windows 2000/XP instructions. 2. Downloading RMBGBEAR ----------------------- Download BEARSFX.EXE from http://www.sophos.com/tools/bearsfx.exe or get it from the Tools\Utils folder on the Sophos CD. Copy it to all affected computers. The self-extracting archive BEARSFX.EXE contains RMBGBEAR and these instructions. Switch off any affected printers, if only to save paper. It is recommended that you disconnect infected computers from the network before proceeding. This is not vital to the disinfection process, but it will stop the worm spreading further. 3. Running RMBGBEAR ------------------- On each affected computer, double-click on the BEARSFX.EXE self-extracting archive to install it to the folder C:\SOPHTEMP. a) Windows 2000/XP At the taskbar, click Start|Run. In the text box, type "CMD" (without the quotes). Press Enter. A command prompt window is displayed. b) Windows 95/98/Me At the taskbar, click Start|Run. In the text box, type "COMMAND" (without the quotes). Press Enter. A command prompt window is displayed. Type C: CD \SOPHTEMP RMBGBEAR You will see a message telling you if removal has succeeded. 4. Deleting other worm files ---------------------------- Run a scan on all computers with Sophos Anti-Virus and delete any remaining worm files. Once Sophos Anti-Virus is running your computers are protected against reinfection. Any worm files that are detected should be deleted and the source of the file traced. 5. After running RMBGBEAR ------------------------- a) W32/Bugbear-A includes a key logger. You should change any passwords, usernames or other information that may have become compromised. b) Installing the Microsoft security patch W32/Bugbear-A can exploit two security vulnerabilities in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, you should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the ones exploited by this virus.) c) System Restore and Windows Me Users of Windows Me should purge the contents of System Restore to remove any backed up copies of infected files. Right-Click the 'My Computer' icon on the desktop, select 'Properties' and then choose 'Performance'. Click 'File System' and then click the 'Troubleshooting' tab. Click the 'Disable System Restore' check box and click 'Apply'. Then click to clear the 'Disable System Restore' check box and click 'Close'. Reboot the computer. The contents of your System Restore folder will be erased (you will not lose any of your ordinary data). Scan your computer with Sophos Anti-Virus to ensure that the worm has gone. d) System Restore and Windows XP Users of Windows XP should purge the contents of System Restore to remove any backed up copies of infected files. Go to Start|Control Panel|Performance and Maintenance. Double-click System, then select the System Restore tab. Click to select the 'Turn off System Restore on all drives' box. Click Apply. Click Yes. Now click to clear the 'Turn off System Restore on all drives' box. Click OK. Reboot the computer. The contents of your System Restore folder will be erased (you will not lose any of your ordinary data). 6. Additional RMBGBEAR options ------------------------------ If you want RMBGBEAR to display the names of all files as they are scanned, add the -NS (no silent running) option when you run the program RMBGBEAR -NS If you want RMBGBEAR to scan all files (not just EXE and DLL files), add the -ALL (all files) option when you run the program RMBGBEAR -ALL If you want RMBGBEAR to continue even if the worm process could not be stopped, add the -NT (no termination) option when you run the program RMBGBEAR -NT 7. For further assistance ------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------