Esoteric Virus

[Marcus]

Hi,

I run a number of anti-virus checks...Norton on line......Panda on
line......McCafee... on line and AVG (installed). None come up with
anything. But when I run Trend's on line "House Call" it checks into my Juno
Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The program
says to delete it as it can't be cleaned. But when I direct it to do so, it
just goes into another endless process, the hour-glass hangs and I'm afraid
it is deleting my entire Mailbox.....so I
Ctrl/Alt/Delete out of the program. Trend says the virus is a non-executable
remnant from some Malware....but I'd like to get rid of it.

Any suggestions are welcome.


Marcus

 

[Shay Glenn]

Hi there... the guys on this group have created this great site:
http://www.claymania.com/removal-trojan-adware.html

 

[Shay Glenn]

Hi there... see this tool:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

 

[David H. Lipman]

--
Dave




| Hi there... the guys on this group have created this great site:
| http://www.claymania.com/removal-trojan-adware.html

 

[David H. Lipman]

Not all virus scanners detect damaged versions of infectors. The .DAM suffix on the
infector's name indicates that what was found is a DAMaged version of the BugBear Internet
worm. In its damaged state it is unable to infect the platform.

--
Dave




| Hi,
|
| I run a number of anti-virus checks...Norton on line......Panda on
| line......McCafee... on line and AVG (installed). None come up with
| anything. But when I run Trend's on line "House Call" it checks into my Juno
| Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The program
| says to delete it as it can't be cleaned. But when I direct it to do so, it
| just goes into another endless process, the hour-glass hangs and I'm afraid
| it is deleting my entire Mailbox.....so I
| Ctrl/Alt/Delete out of the program. Trend says the virus is a non-executable
| remnant from some Malware....but I'd like to get rid of it.
|
| Any suggestions are welcome.
|
|
| Marcus
|
|

 

[Marcus]

In other words there is no need to delete this particular worm?

Marcus

 

[David H. Lipman]

Sure, delete. Why keep it ?

--
Dave




| In other words there is no need to delete this particular worm?
|
| Marcus
|
|
| | > Not all virus scanners detect damaged versions of infectors. The .DAM
| suffix on the
| > infector's name indicates that what was found is a DAMaged version of the
| BugBear Internet
| > worm. In its damaged state it is unable to infect the platform.
| >
| > --
| > Dave
| >
| >
| >
| >
| | > | Hi,
| > |
| > | I run a number of anti-virus checks...Norton on line......Panda on
| > | line......McCafee... on line and AVG (installed). None come up with
| > | anything. But when I run Trend's on line "House Call" it checks into my
| Juno
| > | Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The
| program
| > | says to delete it as it can't be cleaned. But when I direct it to do so,
| it
| > | just goes into another endless process, the hour-glass hangs and I'm
| afraid
| > | it is deleting my entire Mailbox.....so I
| > | Ctrl/Alt/Delete out of the program. Trend says the virus is a
| non-executable
| > | remnant from some Malware....but I'd like to get rid of it.
| > |
| > | Any suggestions are welcome.
| > |
| > |
| > | Marcus
| > |
| > |
| >
| >
|
|

 

[Marcus]

Cannot easily delete it! That was the initial problem. I ran the Trend
Sysclean as suggested and it didn't find anything. The only virus check that
comes up with this "Bugbear.dam" is the Trend on-line HouseCall. But when I
direct it to delete this file, it just runs the hour-glass for 15 minutes.
Should I let it go for another hour and hope it doesn't delete my mailbox?
I'm just surprised it takes so long to identify the virus (over an hour) and
then, apparently, just as long to delete it.

Marcus

 

[Peter Seiler]

David H. Lipman - 12.01.2005 19:06 :

Sure, delete. Why keep it ?

--
Dave




| In other words there is no need to delete this particular worm?
|
| Marcus
|
|
| | > Not all virus scanners detect damaged versions of infectors. The .DAM
| suffix on the
| > infector's name indicates that what was found is a DAMaged version
of the
| BugBear Internet
| > worm. In its damaged state it is unable to infect the platform.
| >
| > --
| > Dave
| >
| >
| >
| >
| | > | Hi,
| > |
| > | I run a number of anti-virus checks...Norton on line......Panda on
| > | line......McCafee... on line and AVG (installed). None come up with
| > | anything. But when I run Trend's on line "House Call" it checks
into my
| Juno
| > | Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The
| program
| > | says to delete it as it can't be cleaned. But when I direct it to
do so,
| it
| > | just goes into another endless process, the hour-glass hangs and I'm
| afraid
| > | it is deleting my entire Mailbox.....so I
| > | Ctrl/Alt/Delete out of the program. Trend says the virus is a
| non-executable
| > | remnant from some Malware....but I'd like to get rid of it.
| > |
| > | Any suggestions are welcome.
| > |
| > |
| > | Marcus
| > |
| > |
| >
| >
|
|

right, perhaps not only if demaged - he should delete, perhaps after a
backup for further investigation?

 

[Roger Wilco]

Cannot easily delete it! That was the initial problem. I ran the Trend
Sysclean as suggested and it didn't find anything. The only virus check that
comes up with this "Bugbear.dam" is the Trend on-line HouseCall. But when I
direct it to delete this file, it just runs the hour-glass for 15 minutes.
Should I let it go for another hour and hope it doesn't delete my mailbox?
I'm just surprised it takes so long to identify the virus (over an hour) and
then, apparently, just as long to delete it.

Take note of where it was found, go there and delete it manually (the
e-mail or the executable attachment if detached).

 

[David W. Hodgins]

Cannot easily delete it! That was the initial problem. I ran the Trend

The AV program cannot delete the message from the email database, without
risking corrupting the indexing used by the email client.

Use whichever email client you use for juno. Sort the messages by size,
or whether or not they have an attachment, and delete the message there.

See http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
for a list of likely subjects.

Regards, Dave Hodgins

 

[Marcus]

But how to identify the culprit?

Use whichever email client you use for juno. Sort the messages by size,

or whether or not they have an attachment, and delete the message there.

_____________________________________________________________

 

[Ant]

David H. Lipman - 12.01.2005 19:06 :

Sure, delete. Why keep it ?

[snip]

right, perhaps not only if demaged - he should delete, perhaps after a
backup for further investigation?

Hey Mr Netiquette! If there's one thing that's worse than not
snipping, it's bottom-posting to a top-posted unsnipped followup
without snipping

 

[David W. Hodgins]

But how to identify the culprit?

You're looking for an email with a size of around 50kb, likely (although not necessarily)
with a subject from the list on the above web page.

Regards, Dave Hodgins

 

[Gabriele Neukam]

On that special day, David W. Hodgins, ([email protected])
said...

You're looking for an email with a size of around 50kb, likely (although not necessarily)
with a subject from the list on the above web page.

That is, if the *damaged* worm hasn't been cut off by some not too good
anti virus program, so that it is considerably smaller than the ususal
50 kb.

Marcus, can you identify a message with a notice about a worm that was
detected and somehow removed/dealt with? It might be that some HTML code
is still inside, that was supposed to run the worm, while the actual
executable was snipped; and Housecall finds the "run" commands and
identifies them as "typical for this and that worm". That would explain
the inconsistencies.


Gabriele Neukam

(e-mail address removed)

 

[Marcus]

Thanks Folks!

Not sure exactly what purged that big bad BUGBEAR.DAM but between running
Trend's Sysclean, and deleting a few suspicious e-mails..... the job is
done!

Marcus