NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] new virus (?)



Here are a few details fro Sophos:



> ----------
> From:         [email protected][SMTP:[email protected]]
> Sent:         Tuesday, December 04, 2001 11:39:50 AM
> To:   [email protected]
> Subject:      Worm: Goner
> Auto forwarded by a Rule
>
>
This Alert was sent to you by Vigilinx

Worm: Goner

----------------------------------------------------------------------------
---------
Threat Type: Malicious Code:Worm

Alert ID        :2900
Version         :1

Urgency         :5 - Incidents Reported

Credibility     :5 - Confirmed

Severity        :4 - Moderate Damage

First Published :Dec 04, 2001; 11:36 AM
Last Published  :Dec 04, 2001; 11:36 AM

Status          :NEW

CVE             :Not Available

Version Summary
----------------------------------------------------------------------------
---------
Goner is a mass-mailing worm that has been reported to be spreading
throughout Europe and the United States.  The worm is written in Visual
Basic and is packed with the Ultimate Packer for Executables (UPX) file
compressor.  When executed, the worm attempts to terminate and delete
security application processes to avoid detection.  Updated antivirus
definitions are available to detect this worm.


Description
----------------------------------------------------------------------------
---------
Goner is a mass-mailing worm written in Visual Basic Script that is packed
with the Ultimate Packer for Executables (UPX) file compressor.  This worm
propagates through Microsoft Outlook and ICQ.  The worm propagates through
Outlook by sending a copy of itself to all of the addresses in an infected
user's Outlook Address Book.  The worm propagates through ICQ by gaining
approval for a file transfer from a contact in an infected user's contact
list.

Goner terminates the following security application processes:


APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
PW32.EXE
VW32.EXE
VP32.EXE
VPCC.EXE
VPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
FEWEB.EXE

The worm also attempts to delete these files.  When the worm cannot delete
the files, it creates a wininit.ini file that attempts to delete these files
when the system is started.  The worm deletes its file from the folder where
it was first started from so that it exists only in the Windows\System
folder.  The worm also drops some scripts in the mIRC client directory that
are used to flood certain IRC channels.

Impact
----------------------------------------------------------------------------
---------
Goner is a mass-mailing worm written in Visual Basic Script that propagates
through Outlook and ICQ.  This worm has the potential to flood e-mail
servers and IRC channels.  When executed, Goner terminates several security
application processes and deletes them in an attempt to avoid detection.

Warning Indicators
----------------------------------------------------------------------------
---------
Goner arrives through e-mail with the following Subject, Body, and
Attachment:


Subject: Hi
Body: How are you ?
When I saw this screen saver, I immediately thought about you I am in a
harry, I promise you will love it!
Attachment: Gone.scr

When executed the worm displays the following message in a dialog box that
also contains animation:


pentagone
coded by suid
tested by: ThE_SKuLL and |satan|
greetings to: TraceWar, k9-unit, stef16, ^Reno.
greetings also to nonick2 out there where ever you are.
Image Copyright (c) F-Secure Corporation

Goner then displays the following fake error message:


Error While Analyze DirectX!

Technical Information
----------------------------------------------------------------------------
---------
Goner is a Portable Executable (PE) file that is 39 KB in size when it is
compressed and 145 KB uncompressed.  The worm copies gone.scr to the
\Windows\System folder and creates a registry key so that it is executed
each time that Windows is started.  Goner runs as a service process so that
it is not visible in the Task Manager.

Vigilinx Comments
----------------------------------------------------------------------------
---------
This worm has been reported to be spreading throughout France, the United
Kingdom, and the United States.  Administrators should take immediate action
to prevent an infection and further propagation of the worm.

It is recommended that security policies and procedures require that users
report infections to security administrators, and that users not be
authorized to make changes to any antivirus settings or software, or attempt
to remove the virus.  Removing a virus from an infected system requires
carefully following the recommended procedures, which may be unique for that
virus.

Safeguards
----------------------------------------------------------------------------
---------
Update current virus definitions and antiviral software programs to detect
and clean this worm.

File system monitoring checks should be performed regularly to detect any
unusual activity that may indicate the presence of a worm on the system.

Firewall filtering of hazardous e-mail attachment files can prevent the
distribution of this worm prior to them reaching systems and users.

Aliases/Variants
----------------------------------------------------------------------------
---------
Aliases include W32/Gone.A@mm,  I-Worm.Goner, and Gone.

Patches/Software
----------------------------------------------------------------------------
---------
The latest virus data file from F-Secure to detect this worm is available at
the following link:
["http://www.fsecure.com/download-purchase/updates.shtml";>F-Secure]

The latest virus definition from Symantec to detect this worm is available
at the following link:
["http://www.symantec.com/avcenter/defs.download.html";>Symantec]

 The latest daily file update from Central Command to detect this worm is
available at the following link:
["http://www.centralcommand.com/update.html";>Central Command]

The latest information from Kaspersky Labs is available at the following
link:  ["http://www.kaspersky.com";>Kaspersky Labs]

Alert History
----------------------------------------------------------------------------
---------
This is a Malicious Code Alert.


Product Sets
----------------------------------------------------------------------------
---------
The security vulnerability applies to the following combinations of
products.

Microsoft, Inc. Windows
Vigilinx, Inc. Malicious Code Alert


----------------------------------------------------------------------------
---------
Copyright @ 2001 by Vigilinx, Inc.http://www.vigilinx.com
Legal Disclaimer
The urgency and severity ratings of this alert are not tailored to
individual usersusers may value alerts differently based upon their
circumstances.The information within this alert may change without
notice.Use of information in this alert is governed by the terms of the
SubscriberAgreement signed by the user and is subject to the limited
warranty and limitations of liability contained therein.

-----Original Message-----
From: Kevin Reichhart [mailto:[email protected]]
Sent: Tuesday, December 04, 2001 1:05 PM
To: [email protected]
Subject: [FW-1] new virus (?)


We just got hit hard with emails with "Subject: Hi" and an attachment named
"gone.scr".  has anyone else seen this?  What is the procedure for blocking
an email based on the subject at the firewall?

-****-**--
Kevin Reichhart
Sr. Unix Administrator
Yantra Corporation
[email protected]
(w)(c)> Yantra Corporation
> The Leader in Multi-Enterprise Commerce Management
> www.yantra.com
>
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.