CRIME FW: NIPC Alert 01-029.1, Update to "VBS/Mass-Mailing Worm, W32/Goner.A"

From: Goerling, Richard J. LT (TAD to CGIC Portland) (RIGoerling@private)
Date: Wed Dec 05 2001 - 17:51:28 PST

  • Next message: Alan: "Re: CRIME WITS '02 Call for Participation (fwd)"

    -----Original Message-----
    From: NIPC Watch [mailto:nipc.watch@private]
    Sent: Wednesday, December 05, 2001 5:12 PM
    To: daily
    Subject: NIPC Alert 01-029.1, Update to "VBS/Mass-Mailing Worm,
    W32/Goner.A"
    
    
    National Infrastructure Protection Center
    "VBS/Mass-Mailing Worm, W32/Goner.A"
    Alert 01-029.1
    5 December 2001
    
    [Updates to NIPC Alert 01-029 are in bold]
    
    The National Infrastructure Protection Center (NIPC) continues to 
    monitor a mass-mailing worm called W32/Goner.A. This is a very 
    fast-spreading mass-mailing worm that appears to take advantage of 
    Visual Basic Scripting built into Microsoft Outlook and Outlook Express 
    (Windows-based), then propagates using e-mail and an online instant 
    messenger (ICQ.)   Developing information continues to indicate that 
    this worm mails itself to all addresses within the infected computer's 
    Outlook or Outlook Express address book, sets itself as a server process 
    so it does not show up in the task manager, and deletes the anti-virus 
    definitions from many common anti-virus products.  It also searches out 
    and terminates many commercial anti-virus software and firewall product 
    processes.
    
    The E-Mail sent, to date, is always the same:
    
    Subject: Hi
    Attachment: gone.scr
    
    Message text:
    "How are you?
    When I saw this screen saver, I immediately thought about you
    I am in a harry[sic], I promise you will love it! "
    
    Goner spreads itself via ICQ's online instant messaging program client 
    using the library file ICQMAPI.DLL.  Goner copies that DLL from the 
    directory C:\PROGRAM FILES\ICQ\ to the Windows system directory.  Goner 
    then sends itself to all on-line users (regardless of mode) from an 
    internal list of online users, via ICQ file transfer.  Goner also 
    answers to requests from other users requesting file transfers.
    
    In order to hide its presence and actions, Goner does several things 
    within the system.   First, Goner sets itself up as a server process so 
    it does not show up in the task manager as a running program. It then 
    writes itself to the Windows registry so the worm is restarted upon 
    reboot. Goner then searches out and terminates processes from many 
    commercial anti-virus software packages and many commercial firewall 
    products, including those for personal use. This renders the anti-virus 
    software and firewall software temporarily useless, however infected 
    users may still believe they are protected.
    
    Recommended Actions:
    
    Update virus definitions and scan for presence of the worm.  Ensure 
    virus definitions include the signature for Goner or request definition 
    updates from your technical support personnel. Most major anti-virus 
    companies have provided new definition files for this virus.  If your 
    definition file pre-dates 4 December 2001, it is not current. Older 
    definitions do not alert on this worm.
    
    For individual users:
    
    Consider deleting unexpected e-mails that contain file attachments 
    without opening them.
    
    Exercise particular caution with respect to e-mails that contain 
    attachments that end in .exe, .vbs, .bat, .scr, and .pif.
    
    Consider turning off all script and scripting within the e-mail client 
    security settings.
    
    Consider upgrading your e-mail client. Outlook 2002 has many security 
    features enabled by default that would block propagation of Goner and 
    certain other mass mailing e-mail worms.
    
    These actions may help protect you against this worm and many other 
    mass-mailing malware products in the wild today.
    
    For Corporate users and system administrators:
    
    Consider blocking ICQ traffic during an infection to block further 
    propagation.  ICQ client-to-server communication is conducted over TCP 
    port 5190.
    
    Consider blocking all messages that have attachments with extensions 
    mentioned above. NIPC recommends having a virus checker at the mail 
    server point that scans all incoming and outgoing messages for malicious 
    code, as well as blocking executable file extensions.
    
    The anti-virus software industry is aware of Goner and is providing 
    signature files to download to detect and remove it from infected hosts. 
    Full descriptions and removal instructions are located at the following 
    anti-virus Web sites:
    
    F-Secure Corp.
    http://www.f-secure.com/v-descs/goner.shtml
    
    Network Associates Inc./McAfee.com
    http://vil.mcafee.com/dispVirus.asp?virus_k=99272&
    
    Symantec Corp.
    http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm
    
    Trend Micro Inc.
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
    
    As always, the NIPC encourages computer users to keep anti-virus and 
    systems software current by frequently checking vendor web sites for 
    updates, and routinely checking for alerts issued by the NIPC, FedCIRC, 
    CERT/CC, and similar organizations.
    
    The NIPC encourages recipients of this alert to report computer 
    intrusions to their local FBI office 
    http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other 
    appropriate authorities. Recipients may report incidents online at 
    http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and 
    Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@private
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:47 PDT