[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] new virus (?)
Here are a few details fro Sophos: > ---------- > From: [email protected][SMTP:[email protected]] > Sent: Tuesday, December 04, 2001 11:39:50 AM > To: [email protected] > Subject: Worm: Goner > Auto forwarded by a Rule > > This Alert was sent to you by Vigilinx Worm: Goner ---------------------------------------------------------------------------- --------- Threat Type: Malicious Code:Worm Alert ID :2900 Version :1 Urgency :5 - Incidents Reported Credibility :5 - Confirmed Severity :4 - Moderate Damage First Published :Dec 04, 2001; 11:36 AM Last Published :Dec 04, 2001; 11:36 AM Status :NEW CVE :Not Available Version Summary ---------------------------------------------------------------------------- --------- Goner is a mass-mailing worm that has been reported to be spreading throughout Europe and the United States. The worm is written in Visual Basic and is packed with the Ultimate Packer for Executables (UPX) file compressor. When executed, the worm attempts to terminate and delete security application processes to avoid detection. Updated antivirus definitions are available to detect this worm. Description ---------------------------------------------------------------------------- --------- Goner is a mass-mailing worm written in Visual Basic Script that is packed with the Ultimate Packer for Executables (UPX) file compressor. This worm propagates through Microsoft Outlook and ICQ. The worm propagates through Outlook by sending a copy of itself to all of the addresses in an infected user's Outlook Address Book. The worm propagates through ICQ by gaining approval for a file transfer from a contact in an infected user's contact list. Goner terminates the following security application processes: APLICA32.EXE ZONEALARM.EXE ESAFE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE PW32.EXE VW32.EXE VP32.EXE VPCC.EXE VPM.EXE AVP32.EXE AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE TDS2-98.EXE TDS2-NT.EXE FEWEB.EXE The worm also attempts to delete these files. When the worm cannot delete the files, it creates a wininit.ini file that attempts to delete these files when the system is started. The worm deletes its file from the folder where it was first started from so that it exists only in the Windows\System folder. The worm also drops some scripts in the mIRC client directory that are used to flood certain IRC channels. Impact ---------------------------------------------------------------------------- --------- Goner is a mass-mailing worm written in Visual Basic Script that propagates through Outlook and ICQ. This worm has the potential to flood e-mail servers and IRC channels. When executed, Goner terminates several security application processes and deletes them in an attempt to avoid detection. Warning Indicators ---------------------------------------------------------------------------- --------- Goner arrives through e-mail with the following Subject, Body, and Attachment: Subject: Hi Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment: Gone.scr When executed the worm displays the following message in a dialog box that also contains animation: pentagone coded by suid tested by: ThE_SKuLL and |satan| greetings to: TraceWar, k9-unit, stef16, ^Reno. greetings also to nonick2 out there where ever you are. Image Copyright (c) F-Secure Corporation Goner then displays the following fake error message: Error While Analyze DirectX! Technical Information ---------------------------------------------------------------------------- --------- Goner is a Portable Executable (PE) file that is 39 KB in size when it is compressed and 145 KB uncompressed. The worm copies gone.scr to the \Windows\System folder and creates a registry key so that it is executed each time that Windows is started. Goner runs as a service process so that it is not visible in the Task Manager. Vigilinx Comments ---------------------------------------------------------------------------- --------- This worm has been reported to be spreading throughout France, the United Kingdom, and the United States. Administrators should take immediate action to prevent an infection and further propagation of the worm. It is recommended that security policies and procedures require that users report infections to security administrators, and that users not be authorized to make changes to any antivirus settings or software, or attempt to remove the virus. Removing a virus from an infected system requires carefully following the recommended procedures, which may be unique for that virus. Safeguards ---------------------------------------------------------------------------- --------- Update current virus definitions and antiviral software programs to detect and clean this worm. File system monitoring checks should be performed regularly to detect any unusual activity that may indicate the presence of a worm on the system. Firewall filtering of hazardous e-mail attachment files can prevent the distribution of this worm prior to them reaching systems and users. Aliases/Variants ---------------------------------------------------------------------------- --------- Aliases include W32/Gone.A@mm, I-Worm.Goner, and Gone. Patches/Software ---------------------------------------------------------------------------- --------- The latest virus data file from F-Secure to detect this worm is available at the following link: ["http://www.fsecure.com/download-purchase/updates.shtml">F-Secure] The latest virus definition from Symantec to detect this worm is available at the following link: ["http://www.symantec.com/avcenter/defs.download.html">Symantec] The latest daily file update from Central Command to detect this worm is available at the following link: ["http://www.centralcommand.com/update.html">Central Command] The latest information from Kaspersky Labs is available at the following link: ["http://www.kaspersky.com">Kaspersky Labs] Alert History ---------------------------------------------------------------------------- --------- This is a Malicious Code Alert. Product Sets ---------------------------------------------------------------------------- --------- The security vulnerability applies to the following combinations of products. Microsoft, Inc. Windows Vigilinx, Inc. Malicious Code Alert ---------------------------------------------------------------------------- --------- Copyright @ 2001 by Vigilinx, Inc.http://www.vigilinx.com Legal Disclaimer The urgency and severity ratings of this alert are not tailored to individual usersusers may value alerts differently based upon their circumstances.The information within this alert may change without notice.Use of information in this alert is governed by the terms of the SubscriberAgreement signed by the user and is subject to the limited warranty and limitations of liability contained therein. -----Original Message----- From: Kevin Reichhart [mailto:[email protected]] Sent: Tuesday, December 04, 2001 1:05 PM To: [email protected] Subject: [FW-1] new virus (?) We just got hit hard with emails with "Subject: Hi" and an attachment named "gone.scr". has anyone else seen this? What is the procedure for blocking an email based on the subject at the firewall? -****-**-- Kevin Reichhart Sr. Unix Administrator Yantra Corporation [email protected] (w)(c)> Yantra Corporation > The Leader in Multi-Enterprise Commerce Management > www.yantra.com > > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|