Re: [ql-users] Caution- BugBear Virus (from another PC)
I was also caught out -setting up another PC for my daughter starting university. Checked that I'd set the email up correctly for her, and it was in the first mail received - I hadn't remembered to change lookout's default config. My virus checker that I'd installed a few days earlier was out of date! Noticing the problem immediately (it killed the Zone Alarm firewall), I disconnected, and used "find" to locate the files with the same create time as that of the email receipt. I tried to rename the suspicious files but couldn't -some were in use by windows, so I then booted to dos prompt, renamed them, and then did a scanreg /restore to go back to an older version of the registry. Then, and only then did I go back online, updated my virus checker, ran it, (it confirmed that the renamed files contained bugbear), and deleted the files permanently. Rebooted, and ran the virus checker again -no viruses found -job done. One of the reasons that I'm very suspicious of the newer flavours of windows which suposedly aren't built on DOS is that if windows is using the files you can't delete them, but if you can't stop windows from using them I think it's only a matter of time before a virus is developed that cannot be successfully disembedded from Windows short of a full re-install. Actually, come to think about it, there are several out there already.. Windows 98, Windows Me, ... Jeremy - Original Message - From: <[EMAIL PROTECTED]> To: "ql-users" <[EMAIL PROTECTED]> Sent: Monday, October 07, 2002 7:52 AM Subject: Re: [ql-users] Caution- BugBear Virus (from another PC) First of all sorry for my bad english. and sorry also for the virus :-( I use AVG but my database virus was (sic!) out fo date. My error. No italian restaurant, mafia connection or other stupid post :-/ Now I've updated the database. AVG now detect the worm but can't remove it Any suggestion? Mr Bergen, antivirus are a good solution for the virus problem but is there any solution for your idiocy? :-/ Giorgio Garabello
Re: [ql-users] Caution- BugBear Virus (from another PC)
At 02:43 ìì 7/10/2002, you wrote: To add to what Stephen said, If you are using Eudora (and haven't turned Microsoft Viewer on) removal is easier than that. First delete the message, then go to the attachment directory (usually under x:\Program Files\Qualcomm\Eudora\Attach\) and delete setup.scr And you're all set. If you are using Opera or Netscape, a simple delete of the message will kill the attachment as well Phoebus
Re: [ql-users] Caution- BugBear Virus (from another PC)
McAfee have a removal utility called Stinger at: http://vil.nai.com/vil/stinger/ which I used to check my machine. I don'tknow how effective it is as I had already removed most of the virus manually and then used AVG to finish it off by the time I downloaded Stinger.Further information may be found at: http://vil.mcafee.com/dispVirus.asp?virus_k=99728 I understand that there is another utility at: http:[EMAIL PROTECTED]It may be necessary to remove the registry entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce, and reboot before AVG can get at the virus .exe file. I had booted from a clean floppy and simply deleted it but that was only because my firewall hadalready reported the .exe name.If you are using WindowsME then the virus will tend to get stick in your _RESTORE directory but it won't do any harm there as long as you don't attempt a system restore.Good luck!Stephen---Outgoing mail is certified Virus Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002
Re: [ql-users] Caution- BugBear Virus (from another PC)
McAfee have a removal utility called Stinger at: http://vil.nai.com/vil/stinger/ which I used to check my machine. I don't know how effective it is as I had already removed most of the virus manually and then used AVG to finish it off by the time I downloaded Stinger. Further information may be found at: http://vil.mcafee.com/dispVirus.asp?virus_k=99728 It may be necessary to remove the registry entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce, and reboot before AVG can get at the virus .exe file. I had booted from a clean floppy and simply deleted it but that was only because my firewall had already reported the .exe name. If you are using WindowsME then the virus will tend to get stick in your _RESTORE directory but it won't do any harm there as long as you don't attempt a system restore. Good luck! Stephen --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.394 / Virus Database: 224 - Release Date: 03/10/2002
[ql-users] Quote marks from Oot***
On Mon, 7 Oct 2002 at 19:44:46, Michael Berger wrote: (ref: <002c01c26e29$3b66c2e0$92283dd5@1und11010841>) > >Tony Firshman wrote: > >> Sorry - must have missed it. >> It is there now: >> * *** *** 6.00.2600. (this line was censored) > >Oh no!!! What did you do Tony! You spelled THE NAME. Probably something >teribble will happen - an earthquake, a release of a new piece of M$oftware >or the return of the spice girls, maybe even something worse. But it will be >definitely your fault! (8-)# > >> It would be great if you could explain how you quoted 'normally' this >> time, or did you do it manually? > >Must admit I did manually but - it is getting better all the time - this >time my reply contains automatically generated quotation marks. Ahha - can you send exactly what you did so others can copy, and we can stop this incessant OT chatter (8-)# -- QBBS (QL fido BBS 2:252/67) +44(0)1442-828255 tony@.demon.co.uk http://www.firshman.demon.co.uk Voice: +44(0)1442-828254 Fax: +44(0)1442-828255 TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG
Re: [ql-users] Caution- BugBear Virus
Tony Firshman wrote: > Sorry - must have missed it. > It is there now: > * *** *** 6.00.2600. (this line was censored) Oh no!!! What did you do Tony! You spelled THE NAME. Probably something teribble will happen - an earthquake, a release of a new piece of M$oftware or the return of the spice girls, maybe even something worse. But it will be definitely your fault! > It would be great if you could explain how you quoted 'normally' this > time, or did you do it manually? Must admit I did manually but - it is getting better all the time - this time my reply contains automatically generated quotation marks. Greetings Michael
Re: [ql-users] Caution- BugBear Virus
On Mon, 7 Oct 2002 at 13:50:01, Michael Berger wrote: (ref: <000101c26df8$46f0d320$ac0e01d9@1und11010841>) > >Tony Firshman wrote: > >> Interestingly whatever mailer you use does not identify itself in the >> header, so I guess it cannot be 'that which shall not be named' (8-)# > >Now that is funny ... in fact it is. Looks like the program behaves the same >as we do. > Sorry - must have missed it. It is there now: Microsoft Outlook Express 6.00.2600. It would be great if you could explain how you quoted 'normally' this time, or did you do it manually? -- QBBS (QL fido BBS 2:252/67) +44(0)1442-828255 tony@.demon.co.uk http://www.firshman.demon.co.uk Voice: +44(0)1442-828254 Fax: +44(0)1442-828255 TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG
Re: [ql-users] Caution- BugBear Virus (from another PC)
> It was really not my intention to be offending - that was just a joke. I > understand from your reaction that it was not a good one. So > please accept my apologies. Ok, no problem. My english is very poor and is also easy for me to misunterstand the intention or the tone of a post. Giorgio Garabello
Re: [ql-users] Caution- BugBear Virus
Tony Firshman wrote: > Interestingly whatever mailer you use does not identify itself in the > header, so I guess it cannot be 'that which shall not be named' (8-)# Now that is funny ... in fact it is. Looks like the program behaves the same as we do.
Re: [ql-users] Caution- BugBear Virus (from another PC)
Giorgio, It was really not my intention to be offending - that was just a joke. I understand from your reaction that it was not a good one. So please accept my apologies. Greetings Michael > Mr Bergen, antivirus are a good solution for the virus problem but > is there any solution for your idiocy? :-/
Re: [ql-users] Caution- BugBear Virus
On Mon, 7 Oct 2002 at 00:14:44, Michael Berger wrote: (ref: <002301c26d85$c777f280$d60e01d9@1und11010841>) >To come back to the beginning of the discussion: the good news - I am >convinced that this newsgroup with its fashion of > (or >> or >>>) as state >of the art of attachments is definitely non-vulnerable for this kind of >attack. This is _not_ a newsgroup of course - just a collection of emails (mailing list). In my experience, not just this mailing list but most newsgroups (ie non 'bainary' [sic] newsgroups) are very against any 'binary' arriving. for very good reason. Even the electronic card subscripts and html can cause real havoc for people using text only systems. (Spike - are you listening?). The 'fashion' (as you call it ) of '>' is surely the norm. Not only does it help readability, but aids snipping (and working out attribution). Your fashion of not adding these is very much in the minority, and confusing. Interestingly whatever mailer you use does not identify itself in the header, so I guess it cannot be 'that which shall not be named' (8-)# -- QBBS (QL fido BBS 2:252/67) +44(0)1442-828255 tony@.demon.co.uk http://www.firshman.demon.co.uk Voice: +44(0)1442-828254 Fax: +44(0)1442-828255 TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG
RE: [ql-users] Caution- BugBear Virus (from another PC)
I believe that there is a bugbear disinfectant available from one of the major anti virus distributions whcih will remove all traces of bugbear from an infected system. I can't remember if it is McAffee or Sophos - sorry. HTH Norman. - Norman Dunbar Database/Unix administrator Lynx Financial Systems Ltd. mailto:[EMAIL PROTECTED] Tel: 0113 289 6265 Fax: 0113 289 3146 URL: http://www.Lynx-FS.com - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 7:53 AM To: ql-users Subject: Re: [ql-users] Caution- BugBear Virus (from another PC) Now I've updated the database. AVG now detect the worm but can't remove it Any suggestion? This email is intended only for the use of the addressees named above and may be confidential or legally privileged. If you are not an addressee you must not read it and must not use any information contained in it, nor copy it, nor inform any person other than Lynx Financial Systems or the addressees of its existence or contents. If you have received this email and are not a named addressee, please delete it and notify the Lynx Financial Systems IT Department on 0113 2892990.
Re: [ql-users] Caution- BugBear Virus
On Sun, 6 Oct 2002 at 20:08:07, Roy Wood wrote: (ref: <[EMAIL PROTECTED]>) > >In message, >=?windows-1253?Q?=D6=EF=DF=E2=EF=F2=20=D1.=20=CD=F4=FC=EA=EF=F2?= ><[EMAIL PROTECTED]> writes >> >>Hi All, >>Please be cautioned that Giorgio's been infected with the BugBear Worm. >>Do not Open the attachment (unless LookOut Distress did that already >>for you...) >> >>AVG does remove it. >Norton detects and quarantines it. I have had one or two so far. Indeed it does. I have had about 20 (8-(# -- QBBS (QL fido BBS 2:252/67) +44(0)1442-828255 tony@.demon.co.uk http://www.firshman.demon.co.uk Voice: +44(0)1442-828254 Fax: +44(0)1442-828255 TF Services, 29 Longfield Road, TRING, Herts, HP23 4DG