Serious threat from bugbear virus...

[Arrow]

I have received this virus twice in the last week through e-mail. I am using grisoft recommend many moons ago by m and it has detected the virus, isolated it and cleaned my files. This virus has a serious potential of invading your privacy up to and including stealing any credit card numbers that have been keyed into your computer. It can log every key stroke you make and send it to the creators of the virus. If you have not upgraded you virus program you need to do so. And even some of the most powerful ones have been having problems isolating this virus. You can verify this info by going out to google and doing a search on groups regard bugbear virus or even on the web search. It has been around since 2002 but has appeared again. I am blocking all attachments and taking down all address from my address book. I will key them in as I send them. This virus loves to attach itself to all in your address book. I would suggest to anyone that has received mail from me in the last week to be sure your virus program is current and if it is not update and run it. I'm as confident as one can be about these things that I'm in the clear for now. But that does not mean it won't happen again.Remember there is no real security on the internet and no real privacy. What you write in an e-mailis the same as what you would write on the side of a barn.I'm removing all addresss's and keeping them on paper and will not use the net for any financial transaction. It's just to damn dangerous. Other than that if someone wants to track my activities on the netthey can. They will just be bored to tears.My list of favorites includes the quotations of Voltaire,tons of Vietnam Vet pages, PTSD sites, Native American Sites, PBS, Thomas.org,All things Washington (State of) Ribbon embroidery(very subversive material there)oh the weather.channel. fedx. Well you get the picture. Go to your virus protection program web site and check out:

I-Worm/Bugbear

I-Worm/Bugbear.A

After its launching, this worm copies itself into System folder using the same filename as in the e-mail. Then it distributes itself onto different e-mail addresses that are stored in Adress book of the infected computer. Also, it tries to find a computer where whole disk full access sharing is allowed, and copies itself into Startup folder, which enables its launching. Because this worm scans all shared components, priters may start to print binary data when a computer in LAN is infected.

The subject of the infected e-mail si variable, this virus has its own database of words which are randomly used in the e-mail. The worm is stored in the e-mail attachment, usually using double extension file format. This worm is also using Internet Explorer security holes to infect the computer, therefore this virus is able to infect the computer only by clicking on the e-mail and viewing this e-mail in the preview window!

This virus also contains a backdoor trojan, which captures every typed text on the keyboard, and allow the author of the virus to access to your computer.

This virus is detected by AVG since version 393.

I-Worm/Bugbear.B

This is a kind of polymorphous virus spreading itself as an attachment of e-mail messages and through shared drives in local network. It also infects some .EXE files.

Installation:
Directly after execution, it copies itself to Startup folder with randomly generated file name and to System folder where it saves a component that saves all pressed buttons in a file in System folder as well.

Spreading:
E-mail:
The worm spreads itself to addresses taken from files with extension .MMF, .NCH, .MBX, .EML, .TBB, .DBX and folders in MS Outlook. Mail message is variable, virus can use already present message and leave everything including an attachment name, to which it adds second executable extension (exe, scr, pif) and change attachment code by itself. Virus also contains some words, that can be used for randomly generated message.
The subject differs, virus contains some words that are chosen randomly. Some of them are:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re: $150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!

Attachmnet name is variable too, message body can contain parts of files placed on hard drive. To increase its effectivity, it also uses security hole in Internet Explorer allowing virus being executed just by opening message in MS Outlook.

Shared drives:
The virus is searching local network for computers with shared whole disk and tries to copy itself to Startup folder. It also looks for .EXE files on shared drives and infect them.

Infection of .EXE files:
I-Worm/Bugbear.B infects some .EXE files by adding its code to their end part. Names of these files are fixed and are as follows:
scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe
Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe

The worm is also trying to terminate some antivirus programs.

Removal:
If the infected computer is connected to LAN, it is neccessary to disconnect this computer from LAN before removing the virus and re-establish the connection in the moment when ALL computers in LAN are cleaned.

1. disconnect the computer from LAN (local network)
2. download the rmbugbear.exe (http://www.grisoft.com/softw/removers/rmbugbear.exe) removal utility, and place the file on your hard disk or floppy diskette
3. run the rmbugbear.exe file
4. when the program is finished (rmbugbear.exe) restart your PC
5. run AVG complete test

Exceptions:
If you are using Windows ME or Windows XP operating systems, there might be a problem in removing infected files from the _Restore folder (Windows ME) or System Volume Information folder (Windows XP). For the correct removal of these infected files, it is necessary to disable the system restore function.