Security Incidents mailing list archives
RE: Gone Worm
From: "Chris Eidem" <jceidem () dexma com>
Date: Wed, 5 Dec 2001 15:33:39 -0600
not too difficult to clean up. 1. shut down the program (gone.scr) from task manager 2. dir \gone*.* /s (it dumps itself in a variety of places: \windows\system, \winnt\system, \temp, \winnt\profiles but one tricky place is that it dumps itself into the \winnt\system32 dir with the system, hidden and read-only bits set so make sure to do a attrib go*.* in that dir and make sure it isn't there. if it is, attrib -h -s -r gon*.* and then delete them 3. delete the key in the registry, it's in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr 4. reboot and if you dug it out of all of its hiding places, you shouldn't see it running. hth, chris
-----Original Message----- From: Andrew Blevins [mailto:ABlevins () arrowheadgrp com] Sent: Wednesday, December 05, 2001 12:02 PM To: incidents () securityfocus com Subject: Gone Worm Has anyone had any success with isolating the Trojan script with this worm, and having a for sure successful cleanup? Any help appreciated, and I apologize in advance if I have missed a previous posting. Blevins -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Gone Worm Andrew Blevins (Dec 05)
- <Possible follow-ups>
- RE: Gone Worm Chris Eidem (Dec 05)
- RE: Gone Worm Michael Garafola (Dec 06)