|
|
AL-2001.18 -- W32.Goner.A@mm Worm |
|
Date: 05 December 2001 Original URL: http://www.auscert.org.au/render.html?cid=1&it=111 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.18 -- AUSCERT ALERT
W32.Goner.A@mm Worm
5 December 2001
===========================================================================
PROBLEM:
AusCERT has been made aware of the existence of a new mass mailing
worm "Goner" that spreads itself via email attachments, IRC and ICQ.
The execution of this file causes the infected host computer to begin
mass-mailing the virus using the Microsoft Outlook address book.
The virus will also attempt to delete files of common anti-virus and
firewall products. This is disguised by an 'About' window followed by a
fake error message that is designed to lead users to believe that the
program failed to execute.
AusCERT has received reports of the virus in Australia. "Goner" has spread
rapidly overseas and it is recommended that members take measures to
protect themselves.
Messages sent by the "Goner" virus have the following characteristics:
- a subject line of "Hi"
- an attachment called "Gone.scr" that is 38,912 bytes long (Outlook
reports it as "gone.scr (38 KB)")
- the body of the message contains the text:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
When run, the worm performs the following actions:
- displays an 'About' box containing information on who wrote and
tested the program (these may be fake).
- displays an error window with the text "Error While Analyze DirectX!".
- iterates through the Microsoft Outlook address book, sending copies
of itself to all addresses found there.
- attempts to stop and delete common anti-virus and firewall products.
If this step fails due to access errors, "Goner" will modify the
WININIT.INI file to delete the files on the next reboot.
- uses an ICQ DLL, if installed, that will enable it to spread itself via
ICQ messages.
- adds an IRC script that contains instructions to launch Denial of Service
attacks against other IRC users. This script is added to the mIRC
SCRIPT.INI file.
- adds itself into the registry as a run-on-startup application.
PLATFORM:
"Goner" is a PE (Portable Executable) program, and as such will run on any
32-bit Windows platform, including Windows 9X, ME, NT, 2000 and XP.
Depending on access restrictions in NT, 2000 and XP some of the above
actions may fail.
IMPACT:
"Goner" has the ability to degrade network and system performance
and possibly cause a Denial of Service attack on other systems. Due to
its ability to disable anti-virus programs, it can also increase the risk
of infection by other viruses.
RECOMMENDATIONS:
A. Detection
Since "Goner" has the ability to impair virus scanners you may need to
manually check for the virus' presence. Follow the instructions supplied
by virus scanner vendors (see the links below).
Organisations should consider blocking or quarantining executable
files at their email gateway. This should prevent the "Goner" virus
from reaching vulnerable computers in the first place, however it is
recommended that all organisations contact their anti-virus vendors for an
updated virus signature file that will detect this virus.
B. Recovery
Recovery from the "Goner" virus is made difficult by its ability to disable
anti-virus programs. Follow the recovery steps listed at the following
sites:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99272
http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
http://www.sophos.com/virusinfo/analyses/w32gonera.html
http://www.europe.f-secure.com/v-descs/goner.shtml
C. User Education
System Administrators are urged to inform their users about proper
precautions with regard to handling email attachments.
AusCERT recommends that sites should update and check their virus
defences and either delete or quarantine any email messages or
attachments that resemble those described above or in the following
links.
D. Update Anti-Virus Packages
System Administrators and users are urged to ensure that the latest
anti-virus software is installed and that it is using the most
current up-to-date virus databases.
More information can be found at:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99272
http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
http://www.sophos.com/virusinfo/analyses/w32gonera.html
http://www.europe.f-secure.com/v-descs/goner.shtml
AusCERT will continue to monitor the situation and we would
appreciate any reports regarding this activity. If you have any
information, comments or questions about this threat, please
contact us.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPA3p3Sh9+71yA2DNAQG9sAP6AprcDxh0w8oFtinxT653ZESbua3LyfpI
Z0EAV8YPVFBMr4lFuRdoGd7lHriM5Syyqhh1fo+DKYLGby55F2VqXZICty2p0Jfe
PA5mHeMwuaruSo2B+Gi9AtArBMMwhzP2zBV0cFeIuiUF4TROQ9IyIYHnfk90xbtf
DtuxMdnR9cw=
=dmSD
-----END PGP SIGNATURE-----
|