I had a few Windows 98 workstations infected by Bugbear. Strange as it may appear, the ***.exe file it creates in Windows Startup can appear and disappear. I am fortunate that 'Stinger' by McAfee Avert was able to delete the other ***.exe file in the System folder. Given this behavior, would you say that Bugbear has stealth capabilities?
No, Bugbear does not have a stealth mode, but I think your answer is simple. First off, check and delete the following registry key on all your systems:
- Click Start, and click Run. The Run dialog box appears.
- Type regedit and then click OK. The Registry Editor opens.
- Navigate to this key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- Next, disconnect each from the network (yes, unplug the network cable), boot each in safe mode and scan with the most recent antivirus definition.
I think the issue is that you keep getting re-infected with Bugbear, thus it looks like it is gone and re-appears.
Also, word of caution. Using the Registry editor can do severe damage to your computers. Be very careful.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Virus alert -- Bugbear
News & Analysis: Guard against Bugbear using these tips
Infosec Know IT All Trivia: Virus prevention
This was first published in October 2002