Although the email received resembled what is described in virus definitions (at Symantec and McAfee) of the delivery of BugBear and its many forms, this particular bug was listed as a brower hijacking trojan/malware/spybot by the tools that found and destroyed it. For this post, I will call it a trojan, as described by the anti-V software. And although the name "Babe" followed the WinStart001 exe file name, the symptoms did not seem to resemble those of the Babe worm/trojan. It was the delivery that resembled Babe and BugBear, so it could be a hybrid.

According to my research, the IGetNet bug can be caught when downloading screensavers and other free products from the web- it can be "bundled in" with them. It can also be offered as a search tool in a pop up ad. However, it made its way into this machine via email attachment. There was no popup with an "OK" (or similar hint) that anything had been downloaded and installed on this system.

Keep in mind- this occurred on a system that is not only behind a software firewall, but a router, and has many different security tools running at any given time. This system does not contain the Outlook email program which is often the victim of similar tricks. The online web email to which it was delivered also has its own "anti-Virus" tool to scan attachments. In this case, I believe it was a hotmail and McAfee combination.

The user does not have to click to open this attachment for it to execute! Details of the attachment can be found in my last post.

Here is the information I saved for you- so you know what to look for, should this happen to you.

Anti virus description: The Trojan horse TR/Winstart.Babe
Main filename: WinStart001.EXE
Categories: Trojan, Spybot, Browser hijack
By: IGetNet, LLC

What it did on this particular machine:
1.spread to two saved URLs in the favorites folder (bookmarks)
2.would have attempted to reset Internet Explorer start page to search engine upon reboot. I got rid of it before it did.
3.altered system files to "boot up" with Windows
4.added files to system folder, for example:
WINDOWS - SYSTEM - RULES.DAT
5.changed and or added several objects and keys in the Windows registry, for example:
HKLM - SOFTWARE - MICROSOFT - WINDOWS - CURRENT VERSION - RUN
and
SOFTWARE - MICROSOFT - INTERNET EXPLORER - URLSearchHooks
6.invaded unused Netscape email on system, and assigned a username from another email found on system!

I don't think it managed to email anyone, because it was rectified before reboot. From what I have read though, it also can hang/freeze systems to force reboot.

Found and deleted by: AntiVir free anti virus
http://www.free-av.com

Additional registry changes can be reported and dealt with by any registry tweaking software and programs like:

Ad-aware http://www.lavasoft.nu

Pest Patrol http://PestPatrol.com
info at: http://PestPatrol.com/PestInfo/I/IGetNet.asp

This and any other nasty bug can also be scanned for and cured online by Trend, McAfee, Kaspersky, Symantec, and Panda scan tools.

*There was no place else to post this information.