Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W32.Bugbear - What a headache!

Status
Not open for further replies.
MIScjryan

MIScjryan

MIS
Oct 15, 2004
25
CA
The BugBear virus appears to have nailed my corporate network...we're looking at 11 grocery stores spanning 1000km apart, connected via DSL WANlinks. ALso included are two wholesaling warehouses, and multiple office locations. Overall, a network of around 300 computers.

BugBear is affecting each and every store and office. All removal tools do not appear to find anything, and anti-virus tools cannot delete, clean, or heal infected files.

HELP!

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Sort by date Sort by votes
Download the removal tool and create a batch file to launch the tool (with the command line swithces added). Then add the batch file to your log in script and have people begin to reboot (try and do this in a bit of a scaled manner to avoid hammering your network overly much).

Or, load the removal tool to a standard location on the network and instruct users to run it.

 
Upvote 0 Downvote
I understand your reasoning for doing this. However, if it is on another section of the network (say, location 3 is infected), once these people have scanned and cleaned upon login, the possibility of them becoming infected once again is huge. This virus appears to be flooding the entire WAN within seconds...

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Upvote 0 Downvote
Can you remotely copy and launch programs on each system?

That would be my next thought.
 
Upvote 0 Downvote
Can be done, but once again, if these systems are still connected to the network, they are still at an extremely high risk of immediate infection.

All anti-viral companies have a seperate removal utility for BugBear, and recommend each workstation is disco'ed from the network until the entire network is deemed clean. This, of course, eliminates the possibility of being able to remotely administer a workstation.

I've been looking for a contact for AVG, but have been unable to find one. It appears that they use forms that link to license numbers on their website for all contact. I'm stuck between a rock and a hard place.

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Upvote 0 Downvote
Can you block the ports it is using flood the network on? Or is it using port 80? If you can start to contain it at each site then you can get each site cleaned up.
 
Upvote 0 Downvote
We're outsmarting ourselves here. Systems are vulnerable to re-infection from this threat, yes, but if you're AVG is up to date it should protect you from re-infection.

The reason AVG cannot clean these files is because they are in use AND as part of this viruses attack it disables various security programs.

Setup a test system, run a cleaner on it and re-initialize the AVG client. See if the system is able to remain clean before we take this further.

If that doesn't work, you're looking at having to contact some local consultants (local to your various stores) and having them down your WAN connections and cleaning each site prior to brining them back online.
 
Upvote 0 Downvote
That's what we've been looking at - a corporate-wide shutdown. Will AVG Network Edition give a report stating which particular machine is infected?

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Upvote 0 Downvote
I don't know, I haven't utilized the AVG network edition.

I know Symantec does, so I'd hope AVG will.
 
Upvote 0 Downvote
I cannot find a contact number anywhere whatsoever for AVG. The phones at my office are going absolutely insane, and I'm about to haul all the hair out of my head!

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Upvote 0 Downvote
It looks as if AVG can only be contacted via E-Mail or an online form. I don't see anything listing out a number to contact them at.

Is there an option to do a network wide scan from the AVG client?
 
Upvote 0 Downvote
Well I think one thing is that you need to figure out how it got on that many computers. Since it is said in the symantec article that it is spread by file shares that you need to also secure any shares that you have on the machines. Also it would be a good idea to have a strong admin password to the machine and that the normal user don't have admin rights unless needed. I think it will be one of the chasing your tail around trying to get all of them cleaned unless you took everyone off the network and as they were cleaned you put them back on which is not really a viable option.
 
Upvote 0 Downvote
Was brought in through an employee's home machine that was hooked up to the network without permission. Within 10 seconds, all printers started going crazy.

Have made the move and am in the process of setting up AVG Network Edition. Great program, though initial setup is a bit of a challenge. Purchased from Walling Data in Nth. Carolina, pleased with their svc thus far. Will add more as I go along...time is against me :)

Christopher Ryan
cryan.at.colemans.ca
visit us online @
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
174
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
152
2ffat
2ffat
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
137
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
334
Yoko Littner
Yoko Littner
CDIV
  • Locked
  • Question
port 8080 monitoring -Trend micro deep security agent
Replies
0
Views
123
CDIV
CDIV

Part and Inventory Search

Sponsor

Back
Top