----- Original Message ----- From: "X-Force" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 04, 2001 3:26 PM Subject: ISSalert: ISS Security Alert: Goner/Pentagone Mass-Mailer Worm
| | TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to | [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! | -------------------------------------------------------------------------- - | | -----BEGIN PGP SIGNED MESSAGE----- | | Internet Security Systems Security Alert | December 4, 2001 | | Goner/Pentagone Mass-Mailer Worm | | Synopsis: | | Internet Security Systems (ISS) X-Force is aware of a new virulent e- | mail worm that is currently propagating rapidly. The worm is disguised | as an .SCR screensaver file and is propagated via email and the ICQ chat | network. Goner is mildly destructive and generates a large amount of | network traffic, which may overload network devices and email gateways. | Goner also attempts to disable personal firewall and antivirus software. | Users who rely on these products may or may not be protected. In | addition, the Goner worm contains a powerful distributed denial of | service (DDoS) component, which may enable attackers to control infected | systems over the IRC (Internet Relay Chat) network to initiate flooding | attacks on targets. | | Description: | | The Goner worm infects Microsoft Outlook and Microsoft Outlook Express | users by delivering the worm executable in the form of an .SCR file | attachment. The filename is GONE.SCR. This file needs to be manually | executed by the user to spread. The body and subject each infected email | is identical. Upon infection, the Goner worm will send a copy of itself | to every contact in the user's address book. | | Microsoft Outlook 2002 will block potentially harmful attachments by | default. Outlook 2002 will also prompt users with the following | information in a dialog box if the worm is executed: | | A program is trying to access e-mail addresses you have stored in | Outlook. Do you want to allow this? | If this is unexpected, it may be a virus and you should choose "No". | | The following is an example of infected email message: | | Subject: Hi | | How are you ? | When I saw this screen saver, I immediately thought about you | I am in a harry, I promise you will love it! | | Attachment: GONE.SCR | | The worm also has the ability to propagate via ICQ if it is installed. | Goner uses ICQ's ICQMAPI.DLL interface to send copies of itself to all | contacts that are currently online. The contact must approve the file | transfer to receive a copy of the worm. The contact must then execute | the file in order to be infected. The worm also includes a backdoor to | infect mIRC installations, so that they can be used to launch IRC-based | distributed denial of service attacks. | | The Goner worm copies itself to the infected user's hard drive, and then | points a registry key to the file location to execute the worm each time | the system reboots. The following registry key is created: | | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ | Run\%System%\gone.scr = %System%\gone.scr | | Goner also attempts to disable antivirus and personal firewall software. | The list of antivirus and personal firewall executables appears to have | been taken from a previous worm, known as I-Worm.fog. More information | on the I-Worm.fog email worm is available at: | http://www.avp.ch/avpve/worms/email/fog.stm | | The Goner worm kills the following processes upon infection, and then | attempts to delete the associated executables: | | IAMAPP.EXE - AtGuard Personal Firewall | IAMSERV.EXE - AtGuard Personal Firewall | | APLICA32.EXE - unknown | | ZONEALARM.EXE - ZoneLabs ZoneAlarm | | ESAFE.EXE - eSafe, Aladdin Knowledge Systems | | CFIADMIN.EXE - ConSeal PC Firewall | CFIAUDIT.EXE - ConSeal PC Firewall | CFINET.EXE - ConSeal PC Firewall | CFINET32.EXE - ConSeal PC Firewall | PCFWallIcon.EXE - ConSeal PC Firewall | FRW.EXE - ConSeal PC Firewall | | VSHWIN32.EXE - McAfee VirusScan | VSECOMR.EXE - McAfee VirusScan | WEBSCANX.EXE - McAfee VirusScan | AVCONSOL.EXE - McAfee VirusScan | VSSTAT.EXE - McAfee VirusScan | | NAVAPW32.EXE - Norton AntiVirus | NAVW32.EXE - Norton AntiVirus | | _AVP32.EXE - AVP Scanner | _AVPCC.EXE - AVP Control Centre Application | _AVPM.EXE - AVP Monitor | AVP32.EXE - AVP Scanner | AVPCC.EXE - AVP Control Centre Application | AVPM.EXE - AVP Monitor | AVP.EXE - AntiViral Toolkit Pro (AVP) | | LOCKDOWN2000.EXE - LockDown 2000 (http://harbortelco.com/) | | ICMON.EXE - Sophos Antivirus Monitor | ICLOAD95.EXE - Sophos Antivirus for Windows 95 | ICSUPP95.EXE - Sophos Antivirus for Windows 95 | ICLOADNT.EXE - Likely Sophos Antivirus for Windows NT | ICSUPPNT.EXE - Likely Sophos Antivirus for Windows NT | | TDS2-98.EXE - TDS-2 Trojan Defense Suite (http://www.diamondcs.com.au/) | TDS2-NT.EXE - TDS-2 Trojan Defense Suite (http://www.diamondcs.com.au/) | | SAFEWEB.EXE - Safeweb | | Recommendations: | | ISS X-Force recommends that all users and system administrators update | their antivirus software and initiate a virus scan. | | Network administrators may choose to filter ICQ traffic during an | infection to block further propagation. ICQ client to server | communication is conducted over TCP port 5190. Network administrators | may also block the worm's communication over IRC by blocking the host, | "twisted.ma.us.dal.net". | | Consider upgrading Microsoft Outlook email clients to Outlook 2002. | Outlook 2002 has many security features that will block the propagation | of Goner and many other worms. | | To remove the Goner worm from your system: | 1. Delete the registry key created by Goner: | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ | Run\%System%\gone.scr = %System%\gone.scr | | 2. Delete the file GONE.SCR from your system. Depending on your | configuration, this file will be in C:\WINDOWS\system\ or | C:\WINNT\system32\. | | ISS X-Force will provide detection and assessment support for this | vulnerability in upcoming X-Press Updates for RealSecure Network Sensor | and Internet Scanner. | | RealSecure Network Sensor: | ISS RealSecure intrusion detection customers may use the following | user-defined signature to detect the 'GONER' worm. Follow | the instructions below to apply the user-defined signature to your | policy. | | - From the Sensor window: | 1. Right-click on the sensor and select 'Properties'. | 2. Choose a policy you want to use, and click 'Customize'. | 3. Select the 'User Defined Events' tab. | 4. Click 'Add' on the right hand side of the dialog box. | 5. Create a User Defined Event. | 6. Type in a name of the event, such as 'GONER'. | 7. In the 'Context' field for each event, select 'Email_Content'. | In the 'String' field, type the following string: | I am in a harry, I promise you will love it! | 8. Click 'Save', and then 'Close'. | 9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the | version of RealSecure you are using. | | This should detect any incoming email containing the worm that is being | delivered to an SMTP server. RS can also be modified to detect the GONER | worm destined to a POP server. In addition to the steps above, the | policy file template must be modified using a text editor. In the SMTP | field of the \template\protocol section add the POP ports to SMTP | definitions. This section is shown below: | | [\template\protocols\]; | http =S 80; | ftp =S 21; | smtp =S 25, 109-110; | pop =S 109-110; | imap =S 143 220; | nntp =S 119; | [\template\userdefinedsignatures\]; | | | Additional Information: | | ISS X-Force Database, | http://xforce.iss.net/static/7638.php | | F-Secure, | http://www.f-secure.com/v-descs/goner.shtml | | | ______ | | About Internet Security Systems (ISS) | Internet Security Systems is a leading global provider of security | management solutions for the Internet, protecting digital assets and | ensuring safe and uninterrupted e-business. With its industry-leading | intrusion detection and vulnerability assessment, remote managed | security services, and strategic consulting and education offerings, ISS | is a trusted security provider to more than 8,000 customers worldwide | including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. | telecommunications companies. Founded in 1994, ISS is headquartered in | Atlanta, GA, with additional offices throughout North America and | international operations in Asia, Australia, Europe, Latin America and | the Middle East. For more information, visit the Internet Security | Systems web site at www.iss.net or call 888-901-7477. | | Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved | worldwide. | | Permission is hereby granted for the redistribution of this Alert | electronically. It is not to be edited in any way without express | consent of the X-Force. If you wish to reprint the whole or any part | of this Alert in any other medium excluding electronic medium, please | e-mail [EMAIL PROTECTED] for permission. | | Disclaimer | | The information within this paper may change without notice. Use of | this information constitutes acceptance for use in an AS IS condition. | There are NO warranties with regard to this information. In no event | shall the author be liable for any damages whatsoever arising out of or | in connection with the use or spread of this information. Any use of | this information is at the user's own risk. | | X-Force PGP Key available at: http://xforce.iss.net/sensitive.php | as well as on MIT's PGP key server and PGP.com's key server. | | Please send suggestions, updates, and comments to: X-Force | [EMAIL PROTECTED] of Internet Security Systems, Inc. | | -----BEGIN PGP SIGNATURE----- | Version: 2.6.3a | Charset: noconv | | iQCVAwUBPA0/FzRfJiV99eG9AQFaCQP8D8hx7oReZSzisyeTHmewcUtNTKltHZG+ | vohxxnZaz47N2IM3he3kCbiKpxAFrXBH2R+CMtDYqcwVnMFiazW6wBllx89wCxpn | wBJlz4xAR8ABayFSfUuNf1w5zzsgo0UaQQqydtcsfqaQqIu7SzrMAx0qU6ZwL/20 | sJACGbjTv9E= | =nr86 | -----END PGP SIGNATURE----- | | --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------