Re: New version of SirCam ===w32Goner

From: Seth Leone (s1leoneat_private)
Date: Tue Dec 04 2001 - 13:42:04 PST

  • Next message: Michal Zalewski: "Re: Attacks against SSH?"

    For those  not already aware this is named the
    w32Goner:see below for details
     <...pulled from mcafee's site>
    
      Aliases  
    I-Worm.Goner (AVP)  
    Pentagone  
    W32.Goner.A@mm (NAV)  
    W32/Goner-A (Sophos)  
    W32/Goner.A@mm (Panda)  
    Win32.Goner.A@mm (AVX) 
    
     Description
    This mass mailing worm attempts to send itself using
    Microsoft Outlook to all entries found in the Outlook
    Address book. It tries to delete security software,
    can spread via ICQ, and contains a DDoS payload via
    IRC. It arrives in an email message containing the
    following information: 
    Subject: Hi 
    Body: 
    How are you ? 
    When I saw this screen saver, I immediately thought
    about you 
    I am in a harry, I promise you will love it! 
    
    Attachment: GONE.SCR 
    
    Running this attachment infects the local system. 
    
    When run, the worm displays a message box entitled,
    "About" 
     
    After a short time, another window entitled "Error" is
    displayed: 
    
    The worm copies itself into the WINDOWS SYSTEM folder
    and adds the following registry key to load itself at
    startup: 
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    
    Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr
    
    
    Under Windows 9x/ME, the worm looks for the following
    processes in memory: 
    _AVP32.EXE 
    _AVPCC.EXE 
    _AVPM.EXE 
    APLICA32.EXE 
    AVP.EXE 
    AVP32.EXE 
    AVPCC.EXE 
    AVPM.EXE 
    CFIADMIN.EXE 
    CFIAUDIT.EXE 
    CFINET32.EXE 
    ESAFE.EXE 
    FRW.EXE 
    ICLOAD95.EXE 
    ICLOADNT.EXE 
    ICMON.EXE 
    ICSUPP95.EXE 
    ICSUPPNT.EXE 
    LOCKDOWN2000.EXE 
    NAVW32.EXE 
    PCFWallICON.EXE 
    SAFEWEB.EXE 
    TDS2-98.EXE 
    TDS2-NT.EXE 
    VSHWIN32.EXE 
    ZONEALARM.EXE 
    
    If present, the process is terminated and all files in
    the directory containing that executable are deleted,
    as well as all files within any subdirectories. If
    this action fails, the worm may create a WININIT.INI
    file to delete the files upon restart. 
    The worm attempts to copy ICQMAPI.DLL to the WINDOWS
    SYSTEM directory. It appears to send itself to ICQ
    users when the a local ICQ user attempts to manually
    send a file to another ICQ user. The worm also creates
    the file REMOTE32.INI which contains instructions to
    initiate a Denial of Service attack against other IRC
    users. A reference to REMOTE32.INI is added to the
    mIRC SCRIPT.INI file.
     
      Symptoms  
    - Presence of the GONE.SCR 
    - Presence of the REMOTE32.INI 
    - Users stating that you have sent them the virus,
    when you did not knowingly do so  
    
      Method Of Infection  
    This mass-mailing worm sends itself to all users found
    in the Outlook Address Book using a plain text format.
    Therefore, the attachment does not start automatically
    when the user opens the message and does not get
    activated automatically when then Outlook preview pane
    if used.  
     
    Top of Page 
    
    Removal Instructions  
    All Windows Users:
    Use current engine and DAT files for detection and
    removal. 
    Alternatively, the following EXTRA.DAT files are also
    available
    EXTRA.DAT 
    SUPER EXTRA.DAT 
    
    Reinstall any security software that was deleted by
    the virus. 
    
    Manual Removal Instructions (not required for McAfee
    users with current engine and DAT files) 
    
    WINDOWS 95/98/ME
    
    Restart Windows in Safe Mode (reboot your computer,
    just before the large WINDOWS startup screen comes up,
    hit the F5 key). You can recognize that you're in Safe
    Mode by the text Safe Mode in the 4 corners of the
    desktop. 
    Click START | FIND | Files or Folders ... 
    Type GONE.SCR and hit ENTER 
    Delete GONE.SCR (if present) 
    Click START | RUN, type REGEDIT and hit ENTER 
    
    Click the (+) next to HKEY_LOCAL_MACHINE 
    
    Click the (+) next to SOFTWARE 
    
    Click the (+) next to MICROSOFT 
    
    Click the (+) next to WINDOWS 
    
    Click the (+) next to CURRENTVERSION 
    
    Click RUN 
    
    Click on C:\WINDOWS\SYSTEM\gone.scr on the right and
    hit DELETE on the keyboard 
    
    Restart the computer 
    WINDOWS NT/2000/XP
    
    Type CTRL-ALT-DEL at the same time 
    Choose TASK MANAGER and then choose the PROCESS tab 
    Locate the GONE.SCR process, click it, and choose END
    PROCESS 
    Click START | FIND | Files or Folders ... 
    Type GONE.SCR and hit ENTER 
    Delete GONE.SCR (if present) 
    Click START | RUN, type REGEDIT and hit ENTER 
    
    Click the (+) next to HKEY_LOCAL_MACHINE 
    
    Click the (+) next to SOFTWARE 
    
    Click the (+) next to MICROSOFT 
    
    Click the (+) next to WINDOWS 
    
    Click the (+) next to CURRENTVERSION 
    
    Click RUN 
    
    Click on C:\WINNT\SYSTEM\gone.scr on the right and hit
    DELETE on the keyboard 
    
    Restart the computer 
    Additional Windows ME Info:
    NOTE: Windows ME utilizes a backup utility that backs
    up selected files automatically to the C:\_Restore
    folder. This means that an infected file could be
    stored there as a backup file, and VirusScan will be
    unable to delete these files. These instructions
    explain how to remove the infected files from the
    C:\_Restore folder.
    
    Disabling the Restore Utility
    
    1. Right click the My Computer icon on the Desktop.
    2. Click on the Performance Tab.
    3. Click on the File System button.
    4. Click on the Troubleshooting Tab.
    5. Put a check mark next to "Disable System Restore".
    6. Click the Apply button.
    7. Click the Close button.
    8. Click the Close button again.
    9. You will be prompted to restart the computer. Click
    Yes.
    NOTE: The Restore Utility will now be disabled.
    10. Restart the computer in Safe Mode.
    11. Run a scan with VirusScan to delete all infected
    files, or browse the file's located in the C:\_Restore
    folder and remove the file's.
    12. After removing the desired files, restart the
    computer normally.
    NOTE: To re-enable the Restore Utility, follow steps
    1-9 and on step 5 remove the check mark next to
    "Disable System Restore". The infected file's are
    removed and the System Restore is once again active. 
     
     
     
    
    
    __________________________________________________
    Do You Yahoo!?
    Buy the perfect holiday gifts at Yahoo! Shopping.
    http://shopping.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 14:16:03 PST