RE: Gone Worm

["Chris Eidem" <jceidem () dexma com>]

not too difficult to clean up.  

1. shut down the program (gone.scr) from task manager
2. dir \gone*.* /s (it dumps itself in a variety of places: 
   \windows\system, \winnt\system, \temp, \winnt\profiles
   but one tricky place is that it dumps itself into the \winnt\system32
dir
   with the system, hidden and read-only bits set so make sure to do a 
      attrib go*.* in that dir and make sure it isn't there.  if it is,
   attrib -h -s -r gon*.* and then delete them
3. delete the key in the registry, it's in 
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr
4. reboot and if you dug it out of all of its hiding places, you
shouldn't see it running.

hth,
chris

> -----Original Message-----
> From: Andrew Blevins [mailto:ABlevins () arrowheadgrp com]
> Sent: Wednesday, December 05, 2001 12:02 PM
> To: incidents () securityfocus com
> Subject: Gone Worm
>
>
> Has anyone had any success with isolating the Trojan script 
> with this worm,
> and having a for sure successful cleanup? Any help appreciated, and I
> apologize in advance if I have missed a previous posting.
> Blevins
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com