The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>W32/Goner Worm </h2> Release Date: December 4, 2001<br/> <a name="affected"></a> <h3>Systems Affected</h3> <ul> <li>Systems running Microsoft Windows with Microsoft Outlook installed <li>Systems running Microsoft Windows with Microsoft Office and ICQ installed </li></li></ul> <a name="overview"></a> <h2>Overview</h2> <p>W32/Goner is a malicious Windows program distributed as an email file attachment and via ICQ file transfers. To a user, the file (gone.scr) appears to be a Windows screen saver. W32/Goner infects a system when a user executes file "gone.scr". </p> <h2>Description</h2> <p> Late this morning, the CERT/CC began receiving reports of a new piece of malicious code known as W32/Goner. Since that time, the CERT/CC has received an increasing number of reports of this code circulating on the Internet. <p> Analysis indicates that this code is spreading via email with the following characteristics: <pre> Subject: Hi! Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment:gone.scr </pre> <p>Several anti-virus vendors have stated that this code may also propogate via the ICQ messaging program. W32/Goner is believed to initiate a file transfer with any "online" users in the infected user's contact list. If the user on the receiving end approves the transfer, the worm sends a copy of itself. <p>When the file "gone.scr" is executed, the worm displays a splash screen and a false error message in an attempt to fool the user into thinking the program is a legitimate screen saver. It copies itself to the Windows system folder (usually C:\WINDOWS\SYSTEM32\scr.exe or C:\WINNT\SYSTEM32\scr.exe) and modifies the Windows registry to execute itself upon reboot by adding the following key: <dl> <dd>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR\SYSTEM\gone.scr </dd></dl> <p>W32/Goner propagates by sending itself to all addresses listed in the Microsoft Outlook address book and all online users in the ICQ contacts list. <p>In addition, the worm looks for and terminates processes associated with many popular antivirus and security programs. The following processes/files are targeted by this malicious code: <dl> <dd>APLICA32.EXE <dd>ZONEALARM.EXE <dd>ESAFE.EXE <dd>CFIADMIN.EXE <dd>CFIAUDIT.EXE <dd>CFINET.EXE <dd>PCFWallIcon.EXE <dd>FRW.EXE <dd>VSHWIN32.EXE <dd>VSECOMR.EXE <dd>WEBSCANX.EXE <dd>AVCONSOL.EXE <dd>VSSTAT.EXE <dd>PW32.EXE <dd>VW32.EXE <dd>VP32.EXE <dd>VPCC.EXE <dd>VPM.EXE <dd>_AVP32.EXE <dd>_AVPCC.EXE <dd>_AVPM.EXE <dd>AVP32.EXE <dd>AVPCC.EXE <dd>AVPM.EXE <dd>AVP.EXE <dd>LOCKDOWN2000.EXE <dd>ICLOAD95.EXE <dd>ICMON.EXE <dd>ICSUPP95.EXE <dd>ICLOADNT.EXE <dd>ICSUPPNT.EXE <dd>TDS2-98.EXE <dd>TDS2-NT.EXE <dd>FEWEB.EXE <dd>SAFEWEB.EXE </dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dd></dl> <p>If W32/Goner finds any of these programs running, the process is terminated and all files in the directory containing that executable are deleted. If the worm is unable to delete the files immediately, it creates a file called WININIT.INI, which deletes the files upon reboot. <p>There is also some evidence that W32/Goner may install denial of service scripts for the mIRC Internet Relay Chat client. <h2>Impact</h2> <p> The worm may disable anti-virus and security software installed on the system. <p> During propagation, sites may experience residual denial of service conditions on hosts or email systems through which the worm is sent. <h2>Solutions</h2> <h4>Run and maintain an antivirus product</h4> <p>It is important for users to update their antivirus software. Most antivirus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific antivirus information can be found in <a href="#vendors">Appendix A</a>. <p>Many antivirus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. <h4>Don't open email attachments</h4> <p>The W32/Goner worm may arrive as an email attachment (gone.scr). Users should <b>not</b> open attachments of this nature. In general, users should use caution when opening any email attachment by first scanning it with an anti-virus product. </p> <h4>Don't open files received via instant messaging applications</h4> <p>The W32/Goner worm may arrive via an ICQ file transfer. ICQ users should exercise caution when opening files received via a file transfer just as they would with email attachments. </p> <h4>Filter email attachments</h4> <p>System administrators may install filters on mail servers to prevent potentially harmful files (.exe, .vbs, .bat, .scr, etc.) from being spread via email. In this case filters could be used to prevent the spread of "gone.scr". </p> <h2>Reporting</h2> <p>The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to <a href="mailto:cert@cert.org?Subject=[CERT%2327693]">cert@cert.org</a> with the following text included in the subject line: "[CERT#27693]".</p> <a name="vendors"></a> <h2>Appendix A. Vendor Information</h2> <h4>Antivirus Vendor Information</h4> <h3>Computer Associates</h3> <dl><dd> <a href="http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1212">http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1212</a> </dd></dl> <h3>F-Secure Corp</h3> <dl><dd> <a href="http://www.fsecure.com/v-descs/goner.shtml">http://www.fsecure.com/v-descs/goner.shtml</a> </dd></dl> <h3>McAfee</h3> <dl><dd> <a href="http://vil.nai.com/vil/virusSummary.asp?virus_k=99272">http://vil.nai.com/vil/virusSummary.asp?virus_k=99272</a> </dd></dl> <h3>Norman Data Defense Systems</h3> <dl><dd> <a href="http://www.norman.com/virus_info/w32_goner_a_mm.shtml">http://www.norman.com/virus_info/w32_goner_a_mm.shtml</a> </dd></dl> <h3>Sophos</h3> <dl><dd> <a href="http://www.sophos.com/virusinfo/analyses/w32gonera.html">http://www.sophos.com/virusinfo/analyses/w32gonera.html</a> </dd></dl> <h3>Symantec</h3> <dl><dd> <a href="http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html">http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html</a> </dd></dl> <h3>Trend Micro</h3> <dl><dd><a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A">http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A</a> </dd></dl> <p> In addition to these specific vendors, you may wish to visit the CERT/CC's computer virus resources page located at <dl><dd> <a href="http://www.cert.org/other_sources/viruses.html">http://www.cert.org/other_sources/viruses.html</a> </dd></dl> <p> <hr noshade="" width="100%"/> <b>Author(s)</b>: Brian B. King, John Shaffer, Robert Hanson<br/> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2001 Carnegie Mellon University.</p> <p>Revision History <pre> December 4, 2001: Initial Release </pre> <!-- This completes the table started in *_titlebar.html --> <!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |