Re: [ql-users] Caution- BugBear Virus (from another PC)

[Jeremy Taffel]

I was also caught out -setting up another PC for my daughter starting
university. Checked that I'd set the email up correctly for her, and it was
in the first mail  received  - I hadn't remembered to change lookout's
default config. My virus checker that I'd installed a few days earlier was
out of date! Noticing the problem immediately (it killed the Zone Alarm
firewall), I disconnected, and  used "find" to locate the files with the
same create time as that of the email receipt. I tried to rename the
suspicious files but couldn't -some were in use by windows, so  I then
booted to dos prompt, renamed them, and then did a scanreg /restore to go
back to an older version of the registry.

Then, and only then did I go back online, updated my virus checker, ran it,
(it confirmed that the renamed files contained bugbear), and deleted the
files permanently. Rebooted, and ran the virus checker again -no viruses
found -job done.

One of the reasons that I'm very suspicious of the newer flavours of windows
which suposedly aren't built on DOS is that if windows is using the files
you can't delete them, but if you can't stop windows from using them  I
think it's only a matter of time before a virus is developed that cannot be
successfully disembedded from Windows short of a full re-install.
Actually, come to think about it, there are several out there already..
Windows 98, Windows Me, ...

Jeremy
- Original Message -
From: <[EMAIL PROTECTED]>
To: "ql-users" <[EMAIL PROTECTED]>
Sent: Monday, October 07, 2002 7:52 AM
Subject: Re: [ql-users] Caution- BugBear Virus (from another PC)



First of all sorry for my bad english.
and sorry also for the virus :-(

I use AVG but my database virus was (sic!) out fo date.
My error.
No italian restaurant, mafia connection or other stupid post :-/

Now I've updated the database.
AVG now detect the worm but can't remove it
Any suggestion?

Mr Bergen, antivirus are a good solution for the virus problem but
is there any solution for your idiocy? :-/

Giorgio Garabello

Re: [ql-users] Caution- BugBear Virus (from another PC)

[Phoebus Dokos]

At 02:43 ìì 7/10/2002, you wrote:

To add to what Stephen said,
If you are using Eudora (and haven't turned Microsoft Viewer on) removal is 
easier than that.
First delete the message, then go to the attachment directory (usually 
under x:\Program Files\Qualcomm\Eudora\Attach\)
and delete setup.scr

And you're all set.

If you are using Opera or Netscape, a simple delete of the message will 
kill the attachment as well


Phoebus

Re: [ql-users] Caution- BugBear Virus (from another PC)

[Stephen Meech]

McAfee have a removal utility called Stinger at: 
http://vil.nai.com/vil/stinger/ which 
I used to check my machine.  I don'tknow how effective it is as I had 
already removed most of the virus manually and then used AVG to finish it off by 
the time I downloaded Stinger.Further information may be found at: 
http://vil.mcafee.com/dispVirus.asp?virus_k=99728
 
I understand that there is another utility at: 
http:[EMAIL PROTECTED]It may be necessary to remove the registry entry at 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce, and reboot 
before AVG can get at the virus .exe file. I had booted from a clean floppy 
and simply deleted it but that was only because my firewall hadalready 
reported the .exe name.If you are using WindowsME then the virus will 
tend to get stick in your _RESTORE directory but it won't do any harm there as 
long as you don't attempt a system restore.Good 
luck!Stephen---Outgoing mail is certified Virus 
Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 
6.0.394 / Virus Database: 224 - Release Date: 
03/10/2002

Re: [ql-users] Caution- BugBear Virus (from another PC)

[Stephen Meech]

McAfee have a removal utility called Stinger at:
http://vil.nai.com/vil/stinger/ which I used to check my machine.  I don't
know how effective it is as I had already removed most of the virus manually
and then used AVG to finish it off by the time I downloaded Stinger.

Further information may be found at:
http://vil.mcafee.com/dispVirus.asp?virus_k=99728

It may be necessary to remove the registry entry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce, and
reboot before AVG can get at the virus .exe file. I had booted from a
clean floppy and simply deleted it but that was only because my firewall had
already reported the .exe name.

If you are using WindowsME then the virus will tend to get stick in your
_RESTORE directory but it won't do any harm there as long as you don't attempt
a system restore.

Good luck!

Stephen


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002

Re: [ql-users] Caution- BugBear Virus

[Michael Berger]

Tony Firshman wrote:

> Sorry - must have missed it.
> It is there now:
> * *** *** 6.00.2600.   (this line was censored)

Oh no!!! What did you do Tony! You spelled THE NAME. Probably something
teribble will happen  - an earthquake, a release of a new piece of M$oftware
or the return of the spice girls, maybe even something worse. But it will be
definitely your fault!

> It would be great if you could explain how you quoted 'normally' this
> time, or did you do it manually?

Must admit I did manually but - it is getting better all the time - this
time my reply contains automatically generated quotation marks.

Greetings

Michael

Re: [ql-users] Caution- BugBear Virus

[Tony Firshman]

On  Mon, 7 Oct 2002 at 13:50:01, Michael Berger wrote:
(ref: <000101c26df8$46f0d320$ac0e01d9@1und11010841>)

>
>Tony Firshman wrote:
>
>> Interestingly whatever mailer you use does not identify itself in the
>> header, so I guess it cannot be 'that which shall not be named' (8-)#
>
>Now that is funny ... in fact it is. Looks like the program behaves the same
>as we do.
>
Sorry - must have missed it.
It is there now:
Microsoft Outlook Express 6.00.2600.

It would be great if you could explain how you quoted 'normally' this
time, or did you do it manually?



-- 
 QBBS (QL fido BBS 2:252/67) +44(0)1442-828255
  tony@.demon.co.uk  http://www.firshman.demon.co.uk
   Voice: +44(0)1442-828254   Fax: +44(0)1442-828255
TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG

Re: [ql-users] Caution- BugBear Virus (from another PC)

[danity]

> It was really not my intention to be offending -
 that was just a joke. I
> understand from your reaction that it was not a good one. So
> please accept my apologies.

Ok, no problem.
My english is very poor and is also easy for me to misunterstand the 
intention or the tone of a post.

Giorgio Garabello

Re: [ql-users] Caution- BugBear Virus

[Michael Berger]

Tony Firshman wrote:

> Interestingly whatever mailer you use does not identify itself in the
> header, so I guess it cannot be 'that which shall not be named' (8-)#

Now that is funny ... in fact it is. Looks like the program behaves the same
as we do.

Re: [ql-users] Caution- BugBear Virus (from another PC)

[Michael Berger]

Giorgio,

It was really not my intention to be offending - that was just a joke. I
understand from your reaction that it was not a good one. So
please accept my apologies.

Greetings

Michael

> Mr Bergen, antivirus are a good solution for the virus problem but
> is there any solution for your idiocy? :-/

Re: [ql-users] Caution- BugBear Virus

[Tony Firshman]

On  Mon, 7 Oct 2002 at 00:14:44, Michael Berger wrote:
(ref: <002301c26d85$c777f280$d60e01d9@1und11010841>)


>To come back to the beginning of the discussion: the good news - I am
>convinced that this newsgroup with its fashion of > (or >> or >>>) as state
>of the art of attachments is definitely non-vulnerable for this kind of
>attack.
This is _not_ a newsgroup of course - just a collection of emails
(mailing list).

In my experience, not just this mailing list but most newsgroups (ie non
'bainary' [sic] newsgroups) are very against any 'binary' arriving.
 for very good reason.
Even the electronic card subscripts and html can cause real havoc for
people using text only systems. (Spike - are you listening?).

The 'fashion' (as you call it ) of '>' is surely the norm.
Not only does it help readability, but aids snipping (and working out
attribution).
Your fashion of not adding these is very much in the minority, and
confusing.
Interestingly whatever mailer you use does not identify itself in the
header, so I guess it cannot be 'that which shall not be named' (8-)#
-- 
 QBBS (QL fido BBS 2:252/67) +44(0)1442-828255
  tony@.demon.co.uk  http://www.firshman.demon.co.uk
   Voice: +44(0)1442-828254   Fax: +44(0)1442-828255
TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG

RE: [ql-users] Caution- BugBear Virus (from another PC)

[Norman Dunbar]

I believe that there is a bugbear disinfectant available from one of the
major anti virus distributions whcih will remove all traces of bugbear from
an infected system.

I can't remember if it is McAffee or Sophos - sorry.

HTH

Norman.

-
Norman Dunbar
Database/Unix administrator
Lynx Financial Systems Ltd.
mailto:[EMAIL PROTECTED]
Tel: 0113 289 6265
Fax: 0113 289 3146
URL: http://www.Lynx-FS.com
-


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 07, 2002 7:53 AM
To: ql-users
Subject: Re: [ql-users] Caution- BugBear Virus (from another PC)




Now I've updated the database.
AVG now detect the worm but can't remove it
Any suggestion?


This email is intended only for the use of the addressees named above and
may be confidential or legally privileged.  If you are not an addressee you
must not read it and must not use any information contained in it, nor copy
it, nor inform any person other than Lynx Financial Systems or the
addressees of its existence or contents.  If you have received this email
and are not a named addressee, please delete it and notify the Lynx
Financial Systems IT Department on 0113 2892990.

Re: [ql-users] Caution- BugBear Virus

[Tony Firshman]

On  Sun, 6 Oct 2002 at 20:08:07, Roy Wood wrote:
(ref: <[EMAIL PROTECTED]>)

>
>In message ,
>=?windows-1253?Q?=D6=EF=DF=E2=EF=F2=20=D1.=20=CD=F4=FC=EA=EF=F2?=
><[EMAIL PROTECTED]> writes
>>
>>Hi All,
>>Please be cautioned that Giorgio's been infected with the BugBear Worm.
>>Do not Open the attachment (unless LookOut Distress did that already
>>for you...)
>>
>>AVG does remove it.
>Norton detects and quarantines it. I have had one or two so far.
Indeed it does.  I have had about 20 (8-(#

-- 
 QBBS (QL fido BBS 2:252/67) +44(0)1442-828255
  tony@.demon.co.uk  http://www.firshman.demon.co.uk
   Voice: +44(0)1442-828254   Fax: +44(0)1442-828255
TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG

Re: [ql-users] Caution- BugBear Virus (from another PC)

[danity]

First of all sorry for my bad english.
and sorry also for the virus :-(

I use AVG but my database virus was (sic!) out fo date.
My error.
No italian restaurant, mafia connection or other stupid post :-/

Now I've updated the database.
AVG now detect the worm but can't remove it
Any suggestion?

Mr Bergen, antivirus are a good solution for the virus problem but
is there any solution for your idiocy? :-/

Giorgio Garabello

Re: [ql-users] Caution- BugBear Virus

[Φοίβος Ρ. Ντόκος]

??? 6/10/2002 6:14:44 ??, ?/? "Michael Berger" <[EMAIL PROTECTED]> ??:

>...
>To come back to the beginning of the discussion: the good news - I am
>convinced that this newsgroup with its fashion of > (or >> or >>>) as state
>of the art of attachments is definitely non-vulnerable for this kind of
>attack.
>
>

Well I imagine you mean the quoting of text.
That has nothing to do with attachments unfortunately, so yes the group is VERY 
vulnerable to attacks (at least all those 
which these worms target)

Phoebus

Re: [ql-users] Caution- BugBear Virus

[Michael Berger]

>even INHEAR is not mean enough to open attachements automatically - the
user
>has to add the final piece of stupidity - by clicking on the attachement.
>So (at least from my understanding) it would be unfair to complain about a
>no-cost software that is dangerous to the dull ones - but that is something
>the whole life is ...

Actually no... because of its geared "for-the-masses" (as you nicely put
it), it opens automatically all attachments indiscriminately... (unless you
tell it not to...)
Hence the spread of all these viruses/worms.

I shouldn't tho blame Micro$oft for that as they want a piece of software
that is easy enough even for the most inexperienced user...
There IS a cost in the popularisation of computers after all.

Phoebus



WOW ... 10 years ago I could have claimed I just invented XML ;-)

I must admit you are right - the "DO NOT CALL  ITS NAME" email program shows
attached pictures automatically - and come to think about it: it is nothing
more than relying on the programmers responsibility (and the power of
publicity!!!) - that it hopefully would not execute too much things secretly
behind the nice Windoze GUI
...
To come back to the beginning of the discussion: the good news - I am
convinced that this newsgroup with its fashion of > (or >> or >>>) as state
of the art of attachments is definitely non-vulnerable for this kind of
attack.

Re: [ql-users] Caution- BugBear Virus

[Roy Wood]

In message , 
=?windows-1253?Q?=D6=EF=DF=E2=EF=F2=20=D1.=20=CD=F4=FC=EA=EF=F2?= 
<[EMAIL PROTECTED]> writes
>
>Hi All,
>Please be cautioned that Giorgio's been infected with the BugBear Worm.
>Do not Open the attachment (unless LookOut Distress did that already 
>for you...)
>
>AVG does remove it.
Norton detects and quarantines it. I have had one or two so far.
-- 
Roy Wood
Q Branch, 20 Locks Hill Portslade. Sussex. BN41 2LB. UK
Tel : +44 (0)1273 386030 Fax : +44 (0)1273 430501 (New number!)
Mobile +44(0)7836 745501
Web : www.qbranch.demon.co.uk

Re: [ql-users] Caution- BugBear Virus

[Phoebus Dokos]

At 02:19 ìì 6/10/2002, you wrote:
>

>even INHEAR is not mean enough to open attachements automatically - the user
>has to add the final piece of stupidity - by clicking on the attachement.
>So (at least from my understanding) it would be unfair to complain about a
>no-cost software that is dangerous to the dull ones - but that is something
>the whole life is ...

Actually no... because of its geared "for-the-masses" (as you nicely put 
it), it opens automatically all attachments indiscriminately... (unless you 
tell it not to...)
Hence the spread of all these viruses/worms.

I shouldn't tho blame Micro$oft for that as they want a piece of software 
that is easy enough even for the most inexperienced user...
There IS a cost in the popularisation of computers after all.

Phoebus

Re: [ql-users] Caution- BugBear Virus

[Michael Berger]

You REALLY made me laugh with your reply - that is a good thing, even if
nothing else is, honestly!

ok - I must admit I am a user of the program which is obviously fobidden to
be named in this newsgroup ... the evil 'WhatEverLook'.

The software "not for the classes but  for the masses" (did'nt  ATARI once
upon a time advertise with a similiar slogan?) ... ok ... but I must claim
one thing:
even INHEAR is not mean enough to open attachements automatically - the user
has to add the final piece of stupidity - by clicking on the attachement.
So (at least from my understanding) it would be unfair to complain about a
no-cost software that is dangerous to the dull ones - but that is something
the whole life is ...
- Original Message -
From: "Phoebus Dokos" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 06, 2002 19:13
Subject: Re: [ql-users] Caution- BugBear Virus



At 12:39 ìì 6/10/2002, you wrote:

>what do you mean ATTACHMENT ???
>
>something that has
> >
>or
> >>
>or even
> >>>
>in front of it ???
>
>and who the hell is Giorgio - is this the waiter from the italian
restaurant
>next corner (I have ever been suspicious that he is a member of the mafia
>...)

Nope... an attachment (at least on LookOut Distress that you are using)
appears as a nice paper-clip icon. If you have applied the latest security
fix on the god forsaken thing Microsoft calls an email program you
shouldn't have trouble Usually though few people do and Outlook
generally has more holes than "Swiss" cheese made by Amish ;-)

As for Giorgio Garabello, he is a well known and respected (plugg)
member of the QL family :-) (Now Giorgio I expect a cheque in the mail
first thing tomorrow morning)

That's all folks,


Phoebus

Re: [ql-users] Caution- BugBear Virus

[Phoebus Dokos]

At 12:39 ìì 6/10/2002, you wrote:

>what do you mean ATTACHMENT ???
>
>something that has
> >
>or
> >>
>or even
> >>>
>in front of it ???
>
>and who the hell is Giorgio - is this the waiter from the italian restaurant
>next corner (I have ever been suspicious that he is a member of the mafia
>...)

Nope... an attachment (at least on LookOut Distress that you are using) 
appears as a nice paper-clip icon. If you have applied the latest security 
fix on the god forsaken thing Microsoft calls an email program you 
shouldn't have trouble Usually though few people do and Outlook 
generally has more holes than "Swiss" cheese made by Amish ;-)

As for Giorgio Garabello, he is a well known and respected (plugg) 
member of the QL family :-) (Now Giorgio I expect a cheque in the mail 
first thing tomorrow morning)

That's all folks,


Phoebus

Re: [ql-users] Caution- BugBear Virus

[Michael Berger]

what do you mean ATTACHMENT ???

something that has
>
or
>>
or even
>>>
in front of it ???

and who the hell is Giorgio - is this the waiter from the italian restaurant
next corner (I have ever been suspicious that he is a member of the mafia
...)


- Original Message -
From: "Öïßâïò Ñ. Íôüêïò" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 06, 2002 17:08
Subject: [ql-users] Caution- BugBear Virus


>
> Hi All,
> Please be cautioned that Giorgio's been infected with the BugBear Worm.
> Do not Open the attachment (unless LookOut Distress did that already for
you...)
>
> AVG does remove it.
>
>
> Phoebus
>
>
>

[ql-users] Caution- BugBear Virus

[Φοίβος Ρ. Ντόκος]

Hi All,
Please be cautioned that Giorgio's been infected with the BugBear Worm.
Do not Open the attachment (unless LookOut Distress did that already for you...)

AVG does remove it.


Phoebus