Esoteric Virus

  • Thread starter Thread starter Marcus
  • Start date Start date
M

Marcus

Hi,

I run a number of anti-virus checks...Norton on line......Panda on
line......McCafee... on line and AVG (installed). None come up with
anything. But when I run Trend's on line "House Call" it checks into my Juno
Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The program
says to delete it as it can't be cleaned. But when I direct it to do so, it
just goes into another endless process, the hour-glass hangs and I'm afraid
it is deleting my entire Mailbox.....so I
Ctrl/Alt/Delete out of the program. Trend says the virus is a non-executable
remnant from some Malware....but I'd like to get rid of it.

Any suggestions are welcome.


Marcus
 
Not all virus scanners detect damaged versions of infectors. The .DAM suffix on the
infector's name indicates that what was found is a DAMaged version of the BugBear Internet
worm. In its damaged state it is unable to infect the platform.

--
Dave




| Hi,
|
| I run a number of anti-virus checks...Norton on line......Panda on
| line......McCafee... on line and AVG (installed). None come up with
| anything. But when I run Trend's on line "House Call" it checks into my Juno
| Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The program
| says to delete it as it can't be cleaned. But when I direct it to do so, it
| just goes into another endless process, the hour-glass hangs and I'm afraid
| it is deleting my entire Mailbox.....so I
| Ctrl/Alt/Delete out of the program. Trend says the virus is a non-executable
| remnant from some Malware....but I'd like to get rid of it.
|
| Any suggestions are welcome.
|
|
| Marcus
|
|
 
Sure, delete. Why keep it ?

--
Dave




| In other words there is no need to delete this particular worm?
|
| Marcus
|
|
| | > Not all virus scanners detect damaged versions of infectors. The .DAM
| suffix on the
| > infector's name indicates that what was found is a DAMaged version of the
| BugBear Internet
| > worm. In its damaged state it is unable to infect the platform.
| >
| > --
| > Dave
| >
| >
| >
| >
| | > | Hi,
| > |
| > | I run a number of anti-virus checks...Norton on line......Panda on
| > | line......McCafee... on line and AVG (installed). None come up with
| > | anything. But when I run Trend's on line "House Call" it checks into my
| Juno
| > | Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The
| program
| > | says to delete it as it can't be cleaned. But when I direct it to do so,
| it
| > | just goes into another endless process, the hour-glass hangs and I'm
| afraid
| > | it is deleting my entire Mailbox.....so I
| > | Ctrl/Alt/Delete out of the program. Trend says the virus is a
| non-executable
| > | remnant from some Malware....but I'd like to get rid of it.
| > |
| > | Any suggestions are welcome.
| > |
| > |
| > | Marcus
| > |
| > |
| >
| >
|
|
 
Cannot easily delete it! That was the initial problem. I ran the Trend
Sysclean as suggested and it didn't find anything. The only virus check that
comes up with this "Bugbear.dam" is the Trend on-line HouseCall. But when I
direct it to delete this file, it just runs the hour-glass for 15 minutes.
Should I let it go for another hour and hope it doesn't delete my mailbox?
I'm just surprised it takes so long to identify the virus (over an hour) and
then, apparently, just as long to delete it.

Marcus
 
David H. Lipman - 12.01.2005 19:06 :
Sure, delete. Why keep it ?
Click to expand...

--
Dave




| In other words there is no need to delete this particular worm?
|
| Marcus
|
|
| | > Not all virus scanners detect damaged versions of infectors. The .DAM
| suffix on the
| > infector's name indicates that what was found is a DAMaged version
of the
| BugBear Internet
| > worm. In its damaged state it is unable to infect the platform.
| >
| > --
| > Dave
| >
| >
| >
| >
| | > | Hi,
| > |
| > | I run a number of anti-virus checks...Norton on line......Panda on
| > | line......McCafee... on line and AVG (installed). None come up with
| > | anything. But when I run Trend's on line "House Call" it checks
into my
| Juno
| > | Mailbox and then takes over an hour to find: "PE_Bugbear.Dam." The
| program
| > | says to delete it as it can't be cleaned. But when I direct it to
do so,
| it
| > | just goes into another endless process, the hour-glass hangs and I'm
| afraid
| > | it is deleting my entire Mailbox.....so I
| > | Ctrl/Alt/Delete out of the program. Trend says the virus is a
| non-executable
| > | remnant from some Malware....but I'd like to get rid of it.
| > |
| > | Any suggestions are welcome.
| > |
| > |
| > | Marcus
| > |
| > |
| >
| >
|
|

right, perhaps not only if demaged - he should delete, perhaps after a
backup for further investigation?
 
Marcus said:
Cannot easily delete it! That was the initial problem. I ran the Trend
Sysclean as suggested and it didn't find anything. The only virus check that
comes up with this "Bugbear.dam" is the Trend on-line HouseCall. But when I
direct it to delete this file, it just runs the hour-glass for 15 minutes.
Should I let it go for another hour and hope it doesn't delete my mailbox?
I'm just surprised it takes so long to identify the virus (over an hour) and
then, apparently, just as long to delete it.
Click to expand...

Take note of where it was found, go there and delete it manually (the
e-mail or the executable attachment if detached).
 
Cannot easily delete it! That was the initial problem. I ran the Trend
Click to expand...

The AV program cannot delete the message from the email database, without
risking corrupting the indexing used by the email client.

Use whichever email client you use for juno. Sort the messages by size,
or whether or not they have an attachment, and delete the message there.

See http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
for a list of likely subjects.

Regards, Dave Hodgins
 
But how to identify the culprit?

Use whichever email client you use for juno. Sort the messages by size,
or whether or not they have an attachment, and delete the message there.
Click to expand...
_____________________________________________________________
 
Peter Seiler said:
David H. Lipman - 12.01.2005 19:06 :
Sure, delete. Why keep it ?
Click to expand...
[snip]

right, perhaps not only if demaged - he should delete, perhaps after a
backup for further investigation?
Click to expand...

Hey Mr Netiquette! If there's one thing that's worse than not
snipping, it's bottom-posting to a top-posted unsnipped followup
without snipping ;)
 
But how to identify the culprit?
Click to expand...

You're looking for an email with a size of around 50kb, likely (although not necessarily)
with a subject from the list on the above web page.

Regards, Dave Hodgins
 
On that special day, David W. Hodgins, ([email protected])
said...
You're looking for an email with a size of around 50kb, likely (although not necessarily)
with a subject from the list on the above web page.
Click to expand...

That is, if the *damaged* worm hasn't been cut off by some not too good
anti virus program, so that it is considerably smaller than the ususal
50 kb.

Marcus, can you identify a message with a notice about a worm that was
detected and somehow removed/dealt with? It might be that some HTML code
is still inside, that was supposed to run the worm, while the actual
executable was snipped; and Housecall finds the "run" commands and
identifies them as "typical for this and that worm". That would explain
the inconsistencies.


Gabriele Neukam

(e-mail address removed)
 
Thanks Folks!

Not sure exactly what purged that big bad BUGBEAR.DAM but between running
Trend's Sysclean, and deleting a few suspicious e-mails..... the job is
done!

Marcus
 
Back
Top