
F - B U G B R
--------------

The F-Bugbr utility disinfects computers infected with 
Bugbear (also known as Tanat or Tanatos) worm. The
tool is able to remove the following worm variants:

W32/Bugbear.A  (I-Worm.Tanatos.A)
W32/Bugbear.B  (I-Worm.Tanatos.B)

Disinfection procedure should be as follows:

1. Unpack the F-Bugbr utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm

2. Close all active applications.
                                   
3. Run the unpacked F-Bugbr.exe file from a hard disk to 
eliminate Bugbear worm infection. You can run the utility by 
either doubleclicking on it from Windows Explorer or you can 
start it from a command interpreter (COMMAND.COM or CMD.EXE) by 
typing its name at command prompt and pressing 'Enter' (for 
advanced users).

First the F-Bugbr utility will kill Bugbear worm's processes in 
memory. Then the utility will scan your hard drive for infected 
files, delete Bugbear.A and Bugbear.B worm droppers and disinfect
executable files infected with Bugbear.B worm.

4. Reboot a system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will 
temporarily disable on-access scanner to be able to disinfect 
your system. After the utility completes disinfection, it enables 
on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

After disinfection it is recommended to change all logins and 
passwords as they could have been compromised by the password 
stealer component of the worm. It is also recommended to check 
infected systems and networks for possible hacker intrusion that 
could have been performed through the backdoor component of the 
worm.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Bugbr utility might not 
disinfect your system correctly.

If Bugbear infection is in a network environment, then the 
network should be temporarily taken down before all workstations 
and servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Bugbear worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Bugbr utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'samples@f-secure.com' address.

