Additional information: Had a user execute under Windows 2000 Pro. The gone.scr file is written to the ..\winnt\system32 directory. It also sets attributes on the file to Read Only, Hidden, and System. The executing application is listed at Pentagone.exe under Task Manager. The aforementioned Registry Keys are the only ones noted in my searchings. David M. Brown Director, Information Technology Services S Y N E R G E X <http://www.synergex.com> Office: 916 853-0396 FAX: 916 635-6549 Mobile: 916 718-6695 -----Original Message----- From: Seth Leone [mailto:s1leoneat_private] Sent: Tuesday, December 04, 2001 1:42 PM To: Joao Gouveia; incidentsat_private Cc: incidentsat_private Subject: Re: New version of SirCam ===w32Goner For those not already aware this is named the w32Goner:see below for details <...pulled from mcafee's site> Aliases I-Worm.Goner (AVP) Pentagone W32.Goner.A@mm (NAV) W32/Goner-A (Sophos) W32/Goner.A@mm (Panda) Win32.Goner.A@mm (AVX) Description This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It tries to delete security software, can spread via ICQ, and contains a DDoS payload via IRC. It arrives in an email message containing the following information: Subject: Hi Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment: GONE.SCR Running this attachment infects the local system. When run, the worm displays a message box entitled, "About" After a short time, another window entitled "Error" is displayed: The worm copies itself into the WINDOWS SYSTEM folder and adds the following registry key to load itself at startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr Under Windows 9x/ME, the worm looks for the following processes in memory: _AVP32.EXE _AVPCC.EXE _AVPM.EXE APLICA32.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPM.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE ESAFE.EXE FRW.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE LOCKDOWN2000.EXE NAVW32.EXE PCFWallICON.EXE SAFEWEB.EXE TDS2-98.EXE TDS2-NT.EXE VSHWIN32.EXE ZONEALARM.EXE If present, the process is terminated and all files in the directory containing that executable are deleted, as well as all files within any subdirectories. If this action fails, the worm may create a WININIT.INI file to delete the files upon restart. The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory. It appears to send itself to ICQ users when the a local ICQ user attempts to manually send a file to another ICQ user. The worm also creates the file REMOTE32.INI which contains instructions to initiate a Denial of Service attack against other IRC users. A reference to REMOTE32.INI is added to the mIRC SCRIPT.INI file. Symptoms - Presence of the GONE.SCR - Presence of the REMOTE32.INI - Users stating that you have sent them the virus, when you did not knowingly do so Method Of Infection This mass-mailing worm sends itself to all users found in the Outlook Address Book using a plain text format. Therefore, the attachment does not start automatically when the user opens the message and does not get activated automatically when then Outlook preview pane if used. Top of Page Removal Instructions All Windows Users: Use current engine and DAT files for detection and removal. Alternatively, the following EXTRA.DAT files are also available EXTRA.DAT SUPER EXTRA.DAT Reinstall any security software that was deleted by the virus. Manual Removal Instructions (not required for McAfee users with current engine and DAT files) WINDOWS 95/98/ME Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop. Click START | FIND | Files or Folders ... Type GONE.SCR and hit ENTER Delete GONE.SCR (if present) Click START | RUN, type REGEDIT and hit ENTER Click the (+) next to HKEY_LOCAL_MACHINE Click the (+) next to SOFTWARE Click the (+) next to MICROSOFT Click the (+) next to WINDOWS Click the (+) next to CURRENTVERSION Click RUN Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on the keyboard Restart the computer WINDOWS NT/2000/XP Type CTRL-ALT-DEL at the same time Choose TASK MANAGER and then choose the PROCESS tab Locate the GONE.SCR process, click it, and choose END PROCESS Click START | FIND | Files or Folders ... Type GONE.SCR and hit ENTER Delete GONE.SCR (if present) Click START | RUN, type REGEDIT and hit ENTER Click the (+) next to HKEY_LOCAL_MACHINE Click the (+) next to SOFTWARE Click the (+) next to MICROSOFT Click the (+) next to WINDOWS Click the (+) next to CURRENTVERSION Click RUN Click on C:\WINNT\SYSTEM\gone.scr on the right and hit DELETE on the keyboard Restart the computer Additional Windows ME Info: NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder. Disabling the Restore Utility 1. Right click the My Computer icon on the Desktop. 2. Click on the Performance Tab. 3. Click on the File System button. 4. Click on the Troubleshooting Tab. 5. Put a check mark next to "Disable System Restore". 6. Click the Apply button. 7. Click the Close button. 8. Click the Close button again. 9. You will be prompted to restart the computer. Click Yes. NOTE: The Restore Utility will now be disabled. 10. Restart the computer in Safe Mode. 11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's. 12. After removing the desired files, restart the computer normally. NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active. __________________________________________________ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 08:54:50 PST