I received a virus  W 3 2/B u g b e a r @ M M.  It sent itself to a
large number of people in my address book as an attachment to a
fragment of a message I sent weeks ago.

According to my antivirus software (AVG) it infected two files in the
Windows\system directory: fyya.exe and lggaupv.dll.  AVG could not
heal these files.

I was unable to delete them in Explorer with Windows running, so
re-booted in DOS and delected them.

I re-booted in Windows, and it seems to be running OK.  

Are these files that I might need someday, or were they possibly
created by the worm?  A Google search turned up nothing on these files
names.

Thank you.

Hi,

Although I can't absolutely guarantee that those aren't files you'll
need someday, it is extremely likely those files were created by the
worm and are thus discardable.

Here's one description of what the worm does:

F-Secure Virus Descriptions
"When run, the worm copies itself to Windows System directory with a
random name (JFMV.EXE for example) and adds a startup key for this
file to the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
It also drops a keylogging component as a DLL file with a
randomly-generated name (ZLQPUPP.DLL for example) to Windows System
folder."
http://www.f-secure.com/v-descs/tanatos.shtml

Note that the description indicates that the virus copies two files,
an .exe file and a .dll file to the Windows System directory, and they
are randomly named.  That facts that you find those two types of files
in the Windows System directory, that they were both infected with
that virus, that their removal isn't affecting system performance, and
that they have filenames we can't find anything about (and thus they
are probably randomly named) all indicate that these files were
extremely likely to have been created by the virus.  Note also that
there's no indication this worm infects other files, as some viruses
do.

Do you by any chance remember the size of files you deleted? If it
fyya.exe was 50,688 bytes, you could bet your life (OK, maybe your
car) that it was Bugbear. Similarly, the installed .dll file is
reported to be 5,632 bytes. Or you could also check your system
registry to see if you can find the system key above (unless you had
some virus elimination program that has already deleted it from the
registry).  There also may be some other .dll and .dat files created
by Bugbear, but they in themselves aren't malicious.

And here's some unsolicited advice: Next time you want to delete a
file under similar circumstances but aren't absolutely certain,
instead change its name by adding a phony extension on the name.  For
example, you could have changed fyya.exe to fyya.exe.deleted and that
would have rendered it unusable as an executable.

Here are some other articles on the worm that may interest you:

W32.Bugbear@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html

Bugbear | Tanatos Worm
http://antivirus.about.com/library/weekly/aa093002a.htm

Threatlist for October 2002
http://www.messagelabs.com/viruseye/threatlist.asp

You can also find recent articles on Bugbear using Google News with
"bugbear" as the search term:
http://news.google.com/news?hl=en&q=bugbear&btnG=Google+Search

Like I said, unless you remember the sizes of the files you deleted
(or can find out through some sort of an undelete utility), I can't
absolutely guarantee you those aren't files you may need someday
(after disinfecting them, of course).  But it seems extremely likely,
because everything you've described about those files are what would
be the case with an infection from this worm.

Best wishes,

mvguy




Search strategy: I went to http://antivirus.about.com and followed
links from there.  I went directly to the Symantec site to find the
description there.