Virus W32.Bugbear.B@mm

[ejc]

Hi One of my e-mail recipients detected virus W32.Bugbear.B@mm associated with a file Setup.exe, I have a Mac how can this be?
Using Outlook Express on a Mac 8500 with OS 9.0.4.
Anybody know how to destroy it?
Sherlock cannot find it.

I am sending this via Mozilla

Please help

ejc

[kelly]

Did you forward an e-mail with an Attachment?

Or is it just something sent with your name on it from someone's Address Book?

[ejc]

Hi Kelly,

Yes a Word 98 .doc

ejc

[ejc]

Kelly,

Another refipient, to whom I sent no attachment also detected a virus, but did not inform me of its name.

Thanks

ejc

[ejc]

Kelly,

Both recipients reciived the mail under my name but from an address that is not mine!

ejc

[kelly]

Your mac can not create or run Windows viruses.

Did you get that word.doc from someone else?

[kelly]

Again. Is it your stuff they received? Or just your name on other stuff?

[ejc]

The Word Doc cotained some stuff, copied and pasted,  from some technical, trade news sites on the Web. As far as I know they are bona fide trade mags and I have used them with the same procedure many times before.
But what about the recipient with no attachment?

ejc

[kelly]

Ok. It looks like your .doc was used by someones PC that got infected.

http://vil.nai.com/vil/content/v_100358.htm

You're an innocent bystander.

tacit would have figured this out right away.  

[ejc]

Kelly,

Many thanks for the information.

Must go now. will re-visit later.

ejc

[Paddy]

The Bugbear virus is a real pain in the patootie...it's been all over for the past few weeks and at least two people who belong to my 150-member email group have had it. And, of course, distributed it all over the place. Since I'm in most of their address books, I've had an average of 1 a day from someone or other.

The Bugbear virus "spoofs" the sender's address - it snitches an address from the victim's address book. So, if I'm in Fred's email address book, and Fred gets the virus, then it could send copies of itself out to everyone in Fred's address book UNDER MY NAME. However, the IP address won't match my IP address. If you look at the headers (source) usually there are some oddities in there, like "untrusted sender".

I had one guy who emailed me and said he'd had the virus and thought he had it all cleaned up - last Saturday. Yesterday, I got another copy of the virus, allegedly from someone with the same last name (brother?) and on checking the IP addresses found that the sender was indeed the same - the victim who thought he had it all cleaned up.  

The other thing the Bugbear virus does is grab any file off the victims computer and sends it as the body of the email. I've had orchestra meeting notices from February 2003, an email I sent (that was quite strange!) in December 2002...whatever. It's quite random. The nasty bit is the attachment - usually a file that appears to have TWO extensions - "filename.doc.exe".

Unlike some of the other viruses that spoof email addresses, this one does not reveal the actual sender in the headers - in fact the headers are usually quite incomplete. The emails I've received have usually had info added by the mail server, like  "Sending client does not conform to RFC822 minimum requirements" as well as the afore-mentionned "untrusted sender". The only way to identify the actual sender is from the IP address - and most of us use ISPs who use DHCP, so this isn't always that useful, unless you have two recent emails (one legit, one virus) to compare IPs, as I did yesterday.

I usually send the confused to:
http://securityresponse.symantec.com/avcen...gbear.b@mm.html or
http://vil.mcafee.com/dispVirus.asp?virus_k=100358

Both McAfee and Symantec have removal tools available for download.

Remember - this one is PC-only and won't do a thing to your Mac except fill up your trash can.

[sandbox]

On a day a friend in Kentucky went into surgery from the hospital bed for a brain tumor, I got an email addressed from him. I thought it odd, but maybe his wife, or friends staying with her through the ordeal was sending out updates. I opened it to find it was a virus driven email, the header indicated that it came from Russia, though later research proved it to be Taiwan. The situation compelled me to open it, fearing the worse, but it just seemed odd that it would come at such an inopportune time.

The subject was “A  powful tool” yes mis-spelled
http://lists.cistron.nl/pipermail/cistron-...une/003812.html
The W32.Klez.D virus but it works just like the Bugbear.  

[~!~]
...^..’

[tacit]

Your computer is not infected with the virus. It's a PC virus, and it is not a macro virus, which means it does not infect .DOC files. The virus did not come from your computer; it has nothing to do with you.

Somebody else who knows you is infected. The virus emails copies of itself, but with a fake From: header.

Most internet users do not know this, but you can never, ever trust the From: in any email message. I can send email to anybody I like that says it is from anybody I like. if you tell me your email address, i can send email that says it is From: you!

The virus puts different people's addresses in the From: field in order to trick people.

Let's say i get a copy of the virus emailed to me. It says From: johndoe@techsurvivors.com.

I'm going to call John Doe up and say "Hey, you just sent me a virus!" But John Doe *didn't* send me the virus. John Doe had nothing to do with it. The virus faked John Doe's email address in order to make it harder to figure out who is REALLY infected.

[ejc]

I want to say  huge "Thankyou" to the wonderful people who contribute to this site.
As a longtime Mac owner with only limited knowledge of systems, I was really concerned that I was unwittingly causing nuisance to others.
Now my mind is at rest thanks to my Mac and Techsuvivors.

Peace

ejc