not too difficult to clean up.
1. shut down the program (gone.scr) from task manager
2. dir \gone*.* /s (it dumps itself in a variety of places:
\windows\system, \winnt\system, \temp, \winnt\profiles
but one tricky place is that it dumps itself into the \winnt\system32
dir
with the system, hidden and read-only bits set so make sure to do a
attrib go*.* in that dir and make sure it isn't there. if it is,
attrib -h -s -r gon*.* and then delete them
3. delete the key in the registry, it's in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr
4. reboot and if you dug it out of all of its hiding places, you
shouldn't see it running.
hth,
chris
> -----Original Message-----
> From: Andrew Blevins [mailto:ABlevins@arrowheadgrp.com]
> Sent: Wednesday, December 05, 2001 12:02 PM
> To: incidents@securityfocus.com
> Subject: Gone Worm
>
>
> Has anyone had any success with isolating the Trojan script
> with this worm,
> and having a for sure successful cleanup? Any help appreciated, and I
> apologize in advance if I have missed a previous posting.
> Blevins
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 15:03:06 PST