In this section

• Home
• Support
• Virus disinfection

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Instructions for disinfecting W32/Bugbear-A

RMBGBEAR is a utility for disinfecting the W32/Bugbear-A worm. This worm infects most 32-bit Windows platforms (Windows 95, 98, Me, 2000 and XP). It may be dropped on Windows NT, but has not been observed to run. It can spread by copying itself across networks and by sending out infected emails which exploit MIME and IFRAME vulnerabilities. It also sends itself to printers, which print out its executable code.

Download the RMBGBEAR cleaning utility on an uninfected PC. This file is available for download as a self-extracting archive, bearsfx.exe.

Read the RMBGBEAR notes for instructions on how to use the RMBGBEAR to clean up a Bugbear infection.

Removing W32/Bugbear-A with Sophos Anti-Virus

Windows 95/98/Me

1. First, restart the computer in MS-DOS
   • For Windows 95/98, go to the Start menu and select Shut Down. Choose the option "Restart the computer in MS-DOS mode".
   • On Windows Me create a startup disk, then boot from that.
2. At the command prompt type:

C:
CD \PROGRA~1\SOPHOS~1
SWEEP C: -REMOVEF
3. Delete any files containing W32/Bugbear-A. Leave any others.
4. If you have another hard drive, run a scan on it (e.g. SWEEP D: -REMOVEF on drive D:).
5. Reboot.
6. Run a scan in Windows.

Windows NT/2000/XP

1. Log off the current user and logon as local administrator.
2. Stop the worm process.
   • Press the Ctrl, Alt and Del keys at the same time.
   • Click the 'Task Manager' button and select the 'Processes' tab.
   • Look for processes with a random four letter name.
   • Highlight all such processes and click on 'End Process'.
3. At the taskbar select Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
4. Click the 'Go' button to run a scan.
5. Delete any files containing W32/Bugbear-A. Leave any others.
6. Run another scan to check that the worm has gone.

Other platforms

See the instructions for removing worms.

Note: W32/Bugbear-A includes a key logger. You should change any passwords, usernames or other information that may have become compromised.

The worm also creates two randomly-named DLL files in your system directory. These contain scrambled data saved by the worm, but they are not infectious. Sophos Anti-Virus will not detect them. You can delete them if you wish, but they will not harm your PC if you leave them there.

Further reading: More information about how to protect against W32/Bugbear-A can be found in W32/Bugbear-A: Information, protection and disinfection.