To Thread - Forum Home

The Mudcat Café TM
https://mudcat.org/thread.cfm?threadid=52722
33 messages

Virus overides Norton?????

21 Oct 02 - 01:13 PM (#807900)
Subject: Virus overides Norton?????
From: Glen Reid

Being totally computer ILLITERATE
I need help quick!!!!!
It seems a virus got around my recently updated Norton protection and is playing havoc with my head.

It also sent out numerous infected emails with my name on it ,to who knows how many (sorry any mudcatters, who may have got one).

It knocks off Norton, when I try to reactivate it.
Wont let me shut down properly.
I live in a rural area and my computer tech. cant be reached.

Any help would be appreciated,
Thanks, Glen

21 Oct 02 - 01:28 PM (#807916)
Subject: RE: Virus overides Norton?????
From: Max

Go to www.norton.com. They might have info on it.

21 Oct 02 - 03:13 PM (#808001)
Subject: RE: Virus overides Norton?????
From: bernil

This is another place where you can read about viruses and also do an online virus-check: Panda

It sound like Bugberar which is known to affect antiviral programs.

Info from that site:
W32/Bugbear is a worm that reaches computers in an e-mail message which is very difficult to recognize, as its subject, contents and the name of the attached file are made up randomly.
W32/Bugbear affects several antivirus programs and firewalls in order to leave the computer defenseless against other viruses and attacks.
W32/Bugbear has a size of 50,688 bytes (compressed with UPX) and is written in the Visual C programming language. Additionally, W32/Bugbear drops a DLL file (dynamic link library), which contains a keylogging Trojan, detected by Panda as Trj/PSW.Bugbear 5632 (Bytes).

You can also find a tool there to remove it (when you've found what it is).

Good luck!

Berit

21 Oct 02 - 06:19 PM (#808124)
Subject: RE: Virus overides Norton?????
From: GUEST,Hille

Sounds BUgbearish ... there's a cleanup tool (also includes KLez)
http://download.nai.com/products/mcafee-avert/stingersetup.exe
(Blue clicky someone?)   - very easy - very quick

21 Oct 02 - 07:36 PM (#808146)
Subject: RE: Virus overides Norton?????
From: GUEST,MCP

This does sound like Bugbear - if it got past Norton before your virus definitions were updated, Norton have a removal tool at: Norton Bugbear removal tool page.

Mick

21 Oct 02 - 08:16 PM (#808150)
Subject: RE: Virus overides Norton?????
From: Uncle_DaveO

I have Norton, and it has a number of times told me it stopped Bugbear. But then I update my definitions weekly or sooner. Go thou and do likewise.

Dave Oesterreich

21 Oct 02 - 08:29 PM (#808154)
Subject: RE: Virus overides Norton?????
From: Sorcha

I have Norton and it has stopped bugbear several times. I also downloaded the "fix" just in case.

21 Oct 02 - 08:38 PM (#808161)
Subject: RE: Virus overides Norton?????
From: 53

Go Sorcha

22 Oct 02 - 05:13 AM (#808373)
Subject: RE: Virus overides Norton?????
From: Glen Reid

Hi all, Looks like after spending most of the night dicking about with this thing, that it is indeed the Bugbear virus thats been suggested.
I downloaded the Panda Active Scan and did thier scan which found 8 infected files, which were fixed.
This enabled me to go to the Norton and do thier scan, which turned up nothing.
The computer shuts down now in the proper way. The next thing I try will be my emails and hopefully the buggers no longer linger.
Much thanks to all you good people, for the support and advice.
All the best,
Glen

22 Oct 02 - 10:02 AM (#808496)
Subject: RE: Virus overides Norton?????
From: mack/misophist

If it's not too expensive for you, may I suggest you set your machine to update it's definitions EVERY night, and do a scan. That's what I do when I'm living in Windows and I've never had a problem like yours.

22 Oct 02 - 01:53 PM (#808659)
Subject: RE: Virus overides Norton?????
From: Bill D

I delete all suspicious emails and spam BEFORE they get on my machine by using something like PopTray

I also have AVG (free) anti-virus in addition to Norton....

22 Oct 02 - 03:18 PM (#808744)
Subject: RE: Virus overides Norton?????
From: Glen Reid

What puzzles me is, howcome I still got infected after downloading the latest Norton updates,which I have to pay for and it took a free service like Panda to make things right?
Someone mentioned "Mc Affee" was a much better service and the downloads come automatically. Any thoughts?
Glen

22 Oct 02 - 06:03 PM (#808879)
Subject: RE: Virus overides Norton?????
From: JohnInKansas

If you have any remotely recent version of Norton, you should be able to set it to update to any schedule you want, and on the newer ones you can let it download automatically or have it prompt you when you're due.

My recent trips to the McAffee site resulted in more time cleaning up their popups than in checking out the virus information I went for, but they are a "respectable" AV service.

We've seen instances where an individual virus may get through almost any AV used, especially if you're not recently updated. It is a very good idea to bookmark several AV sites (before the next disaster) so that you have them handy; but some virus may get through any program you choose. You're probably better off with a program you're familiar with, updated a little more often, than with a new "program of the week."

Since you know that "someone who knows you" has had BugBear (that's how you got it) I'd suggest that you download the "repair file" (FxBgbear.exe) from Norton and put it somewhere safe (on a floppy?) for a while. With the latest updates, Norton should catch it if it comes back, but 175KB of disk space is pretty cheap insurance.

In our case, Norton stopped it the first time, but we've had 5 repeats (also all stopped by Norton), apparently from the same source, in the last couple of weeks. We're still trying to figure out which one of our friends is infected and doesn't know it yet.

John

22 Oct 02 - 11:31 PM (#809039)
Subject: RE: Virus overides Norton?????
From: Stilly River Sage

W32/Bugbear has a size of 50,688 bytes (compressed with UPX) and is written in the Visual C programming language. Additionally, W32/Bugbear drops a DLL file (dynamic link library), which contains a keylogging Trojan, detected by Panda as Trj/PSW.Bugbear 5632 (Bytes).


What does "50,688 bytes" translate to in Kilobytes? It would make sense for it to be 51K, but no one seems to say so. Is there a reason? I think I've deleted several posts about that size before I opened them and even gave Norton a shot at them. If I don't recognize a name, or the subject makes less than perfect sense, I delete it, no questions asked. I was hit hard by SirCam when my notepad accidentally opened it. I had to completely reinstall the entire computer (both platforms) before I finished with that debacle.

I have my Norton Antivirus and Personal Firewall set up to scan the computer every evening. I update every day or two manually, but should probably set it to do that automatically as well. Good suggestion to have a few links handy for other providers for "just in case" application.

SRS

22 Oct 02 - 11:59 PM (#809050)
Subject: RE: Virus overides Norton?????
From: GUEST

"What does "50,688 bytes" translate to in Kilobytes?"

50688/1024 = 49.5Kb

23 Oct 02 - 07:03 AM (#809120)
Subject: RE: Virus overides Norton?????
From: nutty

90% of viruses could be avoided by switching from Microsoft Internet Explorer to another browser (eg Netscape)

23 Oct 02 - 07:19 AM (#809125)
Subject: RE: Virus overides Norton?????
From: pavane

Email viruses can usually be avoided by using a different email program, rather than Outlook/Outlook Express. No need to change browser for that.

23 Oct 02 - 07:59 AM (#809140)
Subject: RE: Virus overides Norton?????
From: Mr Red

I got a hit from a Bugbear and my Norton (within 5 days of the last update) missed it. Fortunately I have a policy about attachments and files with extensions I don't understand so it got wiped summarilly. Then a Mudcat alert and a Norton update - fast. The next three hits were all found by Norton. So there was a window between where Norton were finding the problem and posting fixes.
Mind you I have switched off all scripting in my e-mail client so maybe that saved me.
I KNOW I would struggle with an infection and the thought of it keeps me vigilant.
From what I am told Norton have the answers but the proceedure is not always that simple. Best of luck - PAL.

23 Oct 02 - 08:38 AM (#809164)
Subject: RE: Virus overides Norton?????
From: GUEST

We use Sophos at work, and I am on their email list. When I get a virus alert email from Sophos, I run a script which downloads *all* their current IDE (identifier) files in a ZIP file and unpacks it (takes seconds), and then run the update program (two clicks). On the next reboot, usually the next morning, the PC is protected against the new virus.

As it's a central network intallation, this actually means that everybody in the office gets updated the next morning and is thus safe within 24 hours of the IDE being issued.

We get monthly updates on CD, but before I set up the above arrangement one user got hit by a virus the day before the next monthly update was due. Since I have subscribed to the email list, we have had no infections.

Once a week is not enough.

I use mutt (Unix text mode email client via a SSH connection to the server) for my email so viruses don't touch me, but I'm never going to persuade the rest of the office to do that.

Anahata

23 Oct 02 - 10:44 AM (#809261)
Subject: RE: Virus overides Norton?????
From: Glen Reid

Is "Eudora" a safer email program to be using?
Glen

23 Oct 02 - 10:57 AM (#809273)
Subject: RE: Virus overides Norton?????
From: GUEST,JTT

Eudora is a good emailer; there's a sponsored version that shows you ads, or you can buy it for around $30.

Eudora lets you set up filters, so you can filter your mail into different mailboxes, like Friends, Work, Probable Spam, etc.

(A good way to filter out most spam is to filter out "any header" with the word html in it. After that, you just need to filter out individual subjects like "loan", "size does matter", "earn" and so on. Then you can skim down through the Probable Spam mailbox in case any sad friend has sent you html-styled mail, and delete the rest.)

If you want a good non-Internet Explorer browser, go to www.mozilla.org and download the latest (not the beta) version. Very nice, and not as popular a target for viruses as IE.

23 Oct 02 - 11:43 AM (#809306)
Subject: RE: Virus overides Norton?????
From: treewind

Opera's another good browser, for Windows and other platforms,
also available free with an 'ad' window or paid-for without the ads.

BTW, Spam filtering is not the same as virus filtering. Viruses can come with any header, and from your friends (or at least with your friends' From: address)

Anahata

23 Oct 02 - 05:04 PM (#809554)
Subject: RE: Virus overides Norton?????
From: Bill D

Eudora is a great email program and the AVG anti-virus has a special setting for Eudora...
for that matter, so is Pegasus Mail one the most amazing FREE programs out there...it is VERY secure, and can be tweaked in many ways.

there are various ways to be safe & secure without struggling with IE, Outlook and such, which are major targets.

24 Oct 02 - 09:39 AM (#810099)
Subject: RE: Virus overides Norton?????
From: Mr Red

the problem with all the more obscure e-mail apps is also their benefit. Occasionally I get attachments that have msg extensions. Can Opera, Pegasus, etc read those files?

The last msg file was about licensing laws and PEL and from a respected source.
OK catters do I read it or trash? Maybe I should crank-up Netscape and see if the e-mail client can cope.

24 Oct 02 - 11:12 AM (#810185)
Subject: RE: Virus overides Norton?????
From: Bill D

msg? Is that what the extension says .msg? Is it different the .doc or .txt?

In any good email program, you can set a preference to tell it what application to use to open ANY attachment.

If you want to send ME one with a "msg" attachment, I'll try opening it in Pegasus, Opera, Netscape, Calypso, Mozilla (Netscape clone), and finally in Eudora, which is my 'final' program. (All the others are set to 'leave mail on server').

extree@erols.com

08 Oct 03 - 01:22 PM (#1031856)
Subject: RE: Virus overides Norton?????
From: Stilly River Sage

Here's a real virus alert, came in at my library workplace today. I'm posting on this old thread instead of the recent joke "virus alert" in hopes that it will be taken seriously.--SRS
    To All Staff:

    It has been reported that W32.IRCBot.B may arrive in an email message about a fake program update for Norton Antivirus. The sender, updates@symantec.com, is a spoofed email address. Symantec never sends unsolicited email; the attachment should be deleted.

    The email message may appear as shown below:

    From: updates@symantec.com (spoofed email address)
    Subject: Last Update.
    Body: October 06, 2003
    Intruder Alert 4.1 W32_Webb_Worm Policy
    This policy detects the propagation of the W32.SobigF.Worm though changes in the registry.

    W32.Webb.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.

    In attachment you can find program that update your Norton Antivirus to Norton Antivirus 2004.
    Attachment: nav32.zip



    Please don't open the attachment, just DELETE the email.

    Thank You.

08 Oct 03 - 01:35 PM (#1031873)
Subject: RE: Virus overides Norton?????
From: John MacKenzie

I got a virus called W32.SwenA@mm last week and Symantec sorted it out. It showed when NAV stopped scanning outgoing e-mails. I think I got it through Kazaa Lite,as the summary of the virus scan mentions it, although I had deleted Kazaa some time before, so assume that it was a lurker.
Giok

08 Oct 03 - 04:51 PM (#1031956)
Subject: RE: Virus overides Norton?????
From: Burke

There's a version of W32/Gibe-F aka SwenA that gets past the virus checker on our mail server at work. My Sophos detects it as it's being downloaded, but reports Access denied. It finally shreds when I look at the attachment directory. The e-mail message is always a Returned Mail message.

This is really nasty, I almost always get two messages that have come from the same source. One is the Microsoft Patch message & our server always catches that one. The second is Returned Mail & always has the virus. I've gotten dozens of them in the past week and a half.

09 Oct 03 - 12:00 AM (#1032187)
Subject: RE: Virus overides Norton?????
From: artbrooks

I got a W32 varient yesterday. The sender was allegedly Microsoft, and the message was something like "install this upgrade immediately." Norton caught and quarentined it.

09 Oct 03 - 12:26 AM (#1032201)
Subject: RE: Virus overides Norton?????
From: Gurney

09 Oct 03 - 12:39 AM (#1032211)
Subject: RE: Virus overides Norton?????
From: Gurney

It isn't a bad idea to have two browsers on your system. I once downloaded a patch that monstered IE, and I couldn't get it to contact Microshaft. I had to load Netscape from a coverdisk.
I also received a worm that Norton couldn't find, maybe they just hadn't had time as it was an English one. InoculateIt (free at the time, eTrust as it is now is cheap still) found it.
InoculateIt used to work in parallel with Norton, but I don't know if eTrust still does.

09 Oct 03 - 05:56 AM (#1032283)
Subject: RE: Virus overides Norton?????
From: nickp

Innoculate/eTrust (which I use at home and also the businiess version at work) from www.cai.com. They've always seemed on the ball to me.

10 Oct 03 - 05:07 AM (#1032952)
Subject: RE: Virus overides Norton?????
From: Beverley Barton

this page looks way too clever for me, so i'll sling my hook!