|
|
|
|
| |
| Internet Security Systems (ISS) X-Force has published information about a new virulent e-mail worm that is currently propagating rapidly. The worm is disguised as a .SCR screensaver file and is propagated via email and the ICQ chat network. Goner is mildly destructive and generates a large amount of network traffic, which may overload network devices and email gateways. Goner also attempts to disable personal firewall and antivirus software. Users who rely on these products may or may not be protected. In addition, the Goner worm contains a powerful distributed denial of service (DDoS) component, which may enable attackers to control infected systems over the IRC (Internet Relay Chat) network to initiate flooding attacks on targets. |
| |
Credit:
The information has been provided by X-Force.
|
| |
The Goner worm infects Microsoft Outlook and Microsoft Outlook Express users by delivering the worm executable in the form of a .SCR file attachment. The filename is GONE.SCR. This file needs to be manually executed by the user to spread. The body and subject each infected email is identical. Upon infection, the Goner worm will send a copy of itself to every contact in the user's address book.
Microsoft Outlook 2002 will block potentially harmful attachments by default. Outlook 2002 will also prompt users with the following information in a dialog box if the worm is executed:
A program is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
If this is unexpected, it may be a virus and you should choose "No".
The following is an example of infected email message:
Subject: Hi
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
The worm also has the ability to propagate via ICQ if it is installed. Goner uses ICQ's ICQMAPI.DLL interface to send copies of itself to all contacts that are currently online. The contact must approve the file transfer to receive a copy of the worm. The contact must then execute the file in order to be infected. The worm also includes a backdoor to infect mIRC installations, so that they can be used to launch IRC-based distributed denial of service attacks.
The Goner worm copies itself to the infected user's hard drive, and then points a registry key to the file location to execute the worm each time the system reboots. The following registry key is created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\%System%\gone.scr = %System%\gone.scr
Goner also attempts to disable antivirus and personal firewall software. The list of antivirus and personal firewall executables appears to have been taken from a previous worm, known as I-Worm.fog. More information on the I-Worm.fog email worm is available at:
http://www.avp.ch/avpve/worms/email/fog.stm
The Goner worm kills the following processes upon infection, and then attempts to delete the associated executables:
IAMAPP.EXE - AtGuard Personal Firewall
IAMSERV.EXE - AtGuard Personal Firewall
APLICA32.EXE - unknown
ZONEALARM.EXE - ZoneLabs ZoneAlarm
ESAFE.EXE - eSafe, Aladdin Knowledge Systems
CFIADMIN.EXE - ConSeal PC Firewall
CFIAUDIT.EXE - ConSeal PC Firewall
CFINET.EXE - ConSeal PC Firewall
CFINET32.EXE - ConSeal PC Firewall
PCFWallIcon.EXE - ConSeal PC Firewall
FRW.EXE - ConSeal PC Firewall
VSHWIN32.EXE - McAfee VirusScan
VSECOMR.EXE - McAfee VirusScan
WEBSCANX.EXE - McAfee VirusScan
AVCONSOL.EXE - McAfee VirusScan
VSSTAT.EXE - McAfee VirusScan
NAVAPW32.EXE - Norton AntiVirus
NAVW32.EXE - Norton AntiVirus
_AVP32.EXE - AVP Scanner
_AVPCC.EXE - AVP Control Centre Application
_AVPM.EXE - AVP Monitor
AVP32.EXE - AVP Scanner
AVPCC.EXE - AVP Control Centre Application
AVPM.EXE - AVP Monitor
AVP.EXE - AntiViral Toolkit Pro (AVP)
LOCKDOWN2000.EXE - LockDown 2000 (http://harbortelco.com/)
ICMON.EXE - Sophos Antivirus Monitor
ICLOAD95.EXE - Sophos Antivirus for Windows 95
ICSUPP95.EXE - Sophos Antivirus for Windows 95
ICLOADNT.EXE - Likely Sophos Antivirus for Windows NT
ICSUPPNT.EXE - Likely Sophos Antivirus for Windows NT
TDS2-98.EXE - TDS-2 Trojan Defense Suite (http://www.diamondcs.com.au/)
TDS2-NT.EXE - TDS-2 Trojan Defense Suite (http://www.diamondcs.com.au/)
SAFEWEB.EXE - Safeweb
Recommendations:
ISS X-Force recommends that all users and system administrators update their antivirus software and initiate a virus scan.
Network administrators may choose to filter ICQ traffic during an infection to block further propagation. ICQ client to server communication is conducted over TCP port 5190. Network administrators may also block the worm's communication over IRC by blocking the host, "twisted.ma.us.dal.net".
Consider upgrading Microsoft Outlook email clients to Outlook 2002. Outlook 2002 has many security features that will block the propagation of Goner and many other worms.
To remove the Goner worm from your system:
1. Delete the registry key created by Goner:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\%System%\gone.scr = %System%\gone.scr
2. Delete the file GONE.SCR from your system. Depending on your configuration, this file will be in C:\WINDOWS\system\ or C:\WINNT\system32\.
|
|
|
|
|
|
|
|
|
|
