Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New version of SirCam ===w32Goner

From: David Brown <David.Brown () synergex com>
Date: Tue, 4 Dec 2001 14:35:02 -0800 
Additional information:

Had a user execute under Windows 2000 Pro.  The gone.scr file is written to
the ..\winnt\system32 directory.  It also sets attributes on the file to
Read Only, Hidden, and System.  The executing application is listed at
Pentagone.exe under Task Manager.

The aforementioned Registry Keys are the only ones noted in my searchings.

David M. Brown
Director, Information Technology Services
S Y N E R G E X
<http://www.synergex.com>
Office: 916 853-0396
FAX:            916 635-6549
Mobile: 916 718-6695


-----Original Message-----
From: Seth Leone [mailto:s1leone () yahoo com]
Sent: Tuesday, December 04, 2001 1:42 PM
To: Joao Gouveia; incidents () securityfocus com
Cc: incidents () securityfocus com
Subject: Re: New version of SirCam ===w32Goner


For those  not already aware this is named the
w32Goner:see below for details
 <...pulled from mcafee's site>

  Aliases  
I-Worm.Goner (AVP)  
Pentagone  
W32.Goner.A@mm (NAV)  
W32/Goner-A (Sophos)  
W32/Goner.A@mm (Panda)  
Win32.Goner.A@mm (AVX) 

 Description
This mass mailing worm attempts to send itself using
Microsoft Outlook to all entries found in the Outlook
Address book. It tries to delete security software,
can spread via ICQ, and contains a DDoS payload via
IRC. It arrives in an email message containing the
following information: 
Subject: Hi 
Body: 
How are you ? 
When I saw this screen saver, I immediately thought
about you 
I am in a harry, I promise you will love it! 

Attachment: GONE.SCR 

Running this attachment infects the local system. 

When run, the worm displays a message box entitled,
"About" 
 
After a short time, another window entitled "Error" is
displayed: 

The worm copies itself into the WINDOWS SYSTEM folder
and adds the following registry key to load itself at
startup: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr


Under Windows 9x/ME, the worm looks for the following
processes in memory: 
_AVP32.EXE 
_AVPCC.EXE 
_AVPM.EXE 
APLICA32.EXE 
AVP.EXE 
AVP32.EXE 
AVPCC.EXE 
AVPM.EXE 
CFIADMIN.EXE 
CFIAUDIT.EXE 
CFINET32.EXE 
ESAFE.EXE 
FRW.EXE 
ICLOAD95.EXE 
ICLOADNT.EXE 
ICMON.EXE 
ICSUPP95.EXE 
ICSUPPNT.EXE 
LOCKDOWN2000.EXE 
NAVW32.EXE 
PCFWallICON.EXE 
SAFEWEB.EXE 
TDS2-98.EXE 
TDS2-NT.EXE 
VSHWIN32.EXE 
ZONEALARM.EXE 

If present, the process is terminated and all files in
the directory containing that executable are deleted,
as well as all files within any subdirectories. If
this action fails, the worm may create a WININIT.INI
file to delete the files upon restart. 
The worm attempts to copy ICQMAPI.DLL to the WINDOWS
SYSTEM directory. It appears to send itself to ICQ
users when the a local ICQ user attempts to manually
send a file to another ICQ user. The worm also creates
the file REMOTE32.INI which contains instructions to
initiate a Denial of Service attack against other IRC
users. A reference to REMOTE32.INI is added to the
mIRC SCRIPT.INI file.
 
  Symptoms  
- Presence of the GONE.SCR 
- Presence of the REMOTE32.INI 
- Users stating that you have sent them the virus,
when you did not knowingly do so  

  Method Of Infection  
This mass-mailing worm sends itself to all users found
in the Outlook Address Book using a plain text format.
Therefore, the attachment does not start automatically
when the user opens the message and does not get
activated automatically when then Outlook preview pane
if used.  
 
Top of Page 

Removal Instructions  
All Windows Users:
Use current engine and DAT files for detection and
removal. 
Alternatively, the following EXTRA.DAT files are also
available
EXTRA.DAT 
SUPER EXTRA.DAT 

Reinstall any security software that was deleted by
the virus. 

Manual Removal Instructions (not required for McAfee
users with current engine and DAT files) 

WINDOWS 95/98/ME

Restart Windows in Safe Mode (reboot your computer,
just before the large WINDOWS startup screen comes up,
hit the F5 key). You can recognize that you're in Safe
Mode by the text Safe Mode in the 4 corners of the
desktop. 
Click START | FIND | Files or Folders ... 
Type GONE.SCR and hit ENTER 
Delete GONE.SCR (if present) 
Click START | RUN, type REGEDIT and hit ENTER 

Click the (+) next to HKEY_LOCAL_MACHINE 

Click the (+) next to SOFTWARE 

Click the (+) next to MICROSOFT 

Click the (+) next to WINDOWS 

Click the (+) next to CURRENTVERSION 

Click RUN 

Click on C:\WINDOWS\SYSTEM\gone.scr on the right and
hit DELETE on the keyboard 

Restart the computer 
WINDOWS NT/2000/XP

Type CTRL-ALT-DEL at the same time 
Choose TASK MANAGER and then choose the PROCESS tab 
Locate the GONE.SCR process, click it, and choose END
PROCESS 
Click START | FIND | Files or Folders ... 
Type GONE.SCR and hit ENTER 
Delete GONE.SCR (if present) 
Click START | RUN, type REGEDIT and hit ENTER 

Click the (+) next to HKEY_LOCAL_MACHINE 

Click the (+) next to SOFTWARE 

Click the (+) next to MICROSOFT 

Click the (+) next to WINDOWS 

Click the (+) next to CURRENTVERSION 

Click RUN 

Click on C:\WINNT\SYSTEM\gone.scr on the right and hit
DELETE on the keyboard 

Restart the computer 
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs
up selected files automatically to the C:\_Restore
folder. This means that an infected file could be
stored there as a backup file, and VirusScan will be
unable to delete these files. These instructions
explain how to remove the infected files from the
C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click
Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected
files, or browse the file's located in the C:\_Restore
folder and remove the file's.
12. After removing the desired files, restart the
computer normally.
NOTE: To re-enable the Restore Utility, follow steps
1-9 and on step 5 remove the check mark next to
"Disable System Restore". The infected file's are
removed and the System Restore is once again active. 
 
 
 


__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: