-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Wednesday, December 05, 2001 5:12 PM To: daily Subject: NIPC Alert 01-029.1, Update to "VBS/Mass-Mailing Worm, W32/Goner.A" National Infrastructure Protection Center "VBS/Mass-Mailing Worm, W32/Goner.A" Alert 01-029.1 5 December 2001 [Updates to NIPC Alert 01-029 are in bold] The National Infrastructure Protection Center (NIPC) continues to monitor a mass-mailing worm called W32/Goner.A. This is a very fast-spreading mass-mailing worm that appears to take advantage of Visual Basic Scripting built into Microsoft Outlook and Outlook Express (Windows-based), then propagates using e-mail and an online instant messenger (ICQ.) Developing information continues to indicate that this worm mails itself to all addresses within the infected computer's Outlook or Outlook Express address book, sets itself as a server process so it does not show up in the task manager, and deletes the anti-virus definitions from many common anti-virus products. It also searches out and terminates many commercial anti-virus software and firewall product processes. The E-Mail sent, to date, is always the same: Subject: Hi Attachment: gone.scr Message text: "How are you? When I saw this screen saver, I immediately thought about you I am in a harry[sic], I promise you will love it! " Goner spreads itself via ICQ's online instant messaging program client using the library file ICQMAPI.DLL. Goner copies that DLL from the directory C:\PROGRAM FILES\ICQ\ to the Windows system directory. Goner then sends itself to all on-line users (regardless of mode) from an internal list of online users, via ICQ file transfer. Goner also answers to requests from other users requesting file transfers. In order to hide its presence and actions, Goner does several things within the system. First, Goner sets itself up as a server process so it does not show up in the task manager as a running program. It then writes itself to the Windows registry so the worm is restarted upon reboot. Goner then searches out and terminates processes from many commercial anti-virus software packages and many commercial firewall products, including those for personal use. This renders the anti-virus software and firewall software temporarily useless, however infected users may still believe they are protected. Recommended Actions: Update virus definitions and scan for presence of the worm. Ensure virus definitions include the signature for Goner or request definition updates from your technical support personnel. Most major anti-virus companies have provided new definition files for this virus. If your definition file pre-dates 4 December 2001, it is not current. Older definitions do not alert on this worm. For individual users: Consider deleting unexpected e-mails that contain file attachments without opening them. Exercise particular caution with respect to e-mails that contain attachments that end in .exe, .vbs, .bat, .scr, and .pif. Consider turning off all script and scripting within the e-mail client security settings. Consider upgrading your e-mail client. Outlook 2002 has many security features enabled by default that would block propagation of Goner and certain other mass mailing e-mail worms. These actions may help protect you against this worm and many other mass-mailing malware products in the wild today. For Corporate users and system administrators: Consider blocking ICQ traffic during an infection to block further propagation. ICQ client-to-server communication is conducted over TCP port 5190. Consider blocking all messages that have attachments with extensions mentioned above. NIPC recommends having a virus checker at the mail server point that scans all incoming and outgoing messages for malicious code, as well as blocking executable file extensions. The anti-virus software industry is aware of Goner and is providing signature files to download to detect and remove it from infected hosts. Full descriptions and removal instructions are located at the following anti-virus Web sites: F-Secure Corp. http://www.f-secure.com/v-descs/goner.shtml Network Associates Inc./McAfee.com http://vil.mcafee.com/dispVirus.asp?virus_k=99272& Symantec Corp. http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm Trend Micro Inc. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A As always, the NIPC encourages computer users to keep anti-virus and systems software current by frequently checking vendor web sites for updates, and routinely checking for alerts issued by the NIPC, FedCIRC, CERT/CC, and similar organizations. The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:47 PDT