McAfee AVERT (Anti-Virus Emergency Response Team), a division of Network Associates today assigned a HIGH-OUTBREAK risk assessment to the recently discovered Goner worm. Since its discovery earlier today, McAfee AVERT labs has received more than 500 reports from end-users and corporate enterprises worldwide, including Fortune 500 businesses.
Symptoms
W32/Goner@MM, also known as Goner or Goner.A, is a mass-mailing Internet worm that when run, mass-mails itself to everyone in the user's Microsoft Windows Address Book. When executed, it displays a message box entitled "About," and after a short time, another window entitled "Error" is displayed. The worm also attempts to delete the following files, some of which are from anti-virus software programs:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
Subject: Hi
Body Text:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
Cure
McAfee
VirusScan users should update their systems from that page and use the 4.0.70
or later scanning engine to stop potential damage.
McAfee AVERT is one of the top-ranked anti-virus research organizations in the
world, employing more than 90 researchers in offices on five continents. McAfee
AVERT protects customers by providing cures that are developed through the combined
efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology,
which applies advanced heuristics, generic detection, and active .dat technology
to generate cures for previously undiscovered viruses.
With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading
supplier of security and availability solutions for e-businesses. Network Associates
is comprised of three product groups: McAfee, delivering world class anti-virus
and security products; Sniffer, a leader in network availability and system
security; and Magic Solutions, providing web-based service desk solutions.
Tripwire Integrity Alert: IA120401
A new virus dubbed Gone, Goner or Pentagone, is a Visual Basic Script program that spreads via e-mail and the messaging system ICQ. On infected computers, it stops most antivirus and security programs.
The virus only affects computers running Microsoft Windows and spreads through Outlook e-mail clients. Macs and computers running Linux or other Unix-like operating systems are unaffected.
The virus arrives in a message with the subject "Hi" and the following text in the body of the e-mail: "How are you? When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it!"
Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the virus. When the file is opened, the Goner virus will infect the victim's PC, stopping a variety of antivirus and security applications and deleting all the files in the folders containing those applications. Kaspersky Lab's AVP, Zone Labs' ZoneAlarm, and Internet Security Systems' Black Ice are among the programs affected. After eliminating the security on the computer, the virus opens up a dialog box containing its name, Goner, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites.
The virus then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers.
In addition, the virus attempts to spread using e-mail and ICQ. To spread by e-mail, Goner uses script commands to send a copy of itself to every entry in the victim's Outlook address book. In ICQ, the virus uses specific commands to send a copy of itself to other people using the messaging application.
Tripwire Will Detect & Facilitate Recovery from Goner Virus
Tripwire for Servers will detect any changes made to the file system by this virus, whether it's deleting files, changing registry entries or adding malicious programs to a system. A user of Tripwire has several ways to detect the virus.
If you are using a standard installation of Tripwire based on our default policy file, you would expect to see the following new/modified entries:
Added Files:
C:\winnt\system\gone.scr
C:\winnt\system\wininit.ini
Possible Added/Modified Files (depending on currently installed software):
C:\winnt\system\ICQMAPI.dll
C:\mIRC\SCRIPT.ini
Possible Deleted Files:
Goner attempts to delete a number of antivirus and security applications- a complete list is not feasible, but you can expect violations relating to the following applications (among others):
Norton Antivirus
ZoneAlarm
ISS Black Ice
SafeWeb
Lockdown 2000
Modified Registry Key:
"HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run"
Value added: C:\%SYSTEM%\gone.scr
Tripwire for Servers utilizes a "baseline" of information about the systems it protects, and reports on deviations from that known good baseline. These reports provide a comprehensive list of the files and registry keys that have been affected by the virus. By outlining the exact changes made by this virus, you can focus your recovery effort on only the specific files and registry keys that were changed by the virus, not on reinstalling the complete operating system and other applications. Tripwire for Servers will assist you in specific recovery efforts that provide an easy recovery path.