Todd,
Probably a bug in the virus!) Or maybe somebody with a sarcastic sense of
poetic justice hacked the virus and instructed it to send the original
author's personal info to the FBI. If wishes were wings, pigs would fly.
-Gary
-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Wednesday, December 05, 2001 9:55 AM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] The list is back online
To All:
The Vantage list is back online.
After reading through the info on the Goner virus yesterday it appears that
as long as attachments are blocked the virus cannot spread.
I'm still not sure I understand how we all received the binary junk
yesterday in the body's of several emails but it appears to be harmless.
So, another day begins ...
Todd Anderson
======================================
Win32/Goner.A.Worm
Also known as W32.Goner.A@mm
The worm attaches itself to an email with the subject line "Hi", and
attachment name "gone.scr". The message body reads:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Once activated, the worm displays a message box about its origin.
pentagone
coded by: suid
tested by: ThE_SKuLL and |satan|
greetings to: traceWar, k9-unit, stef16,^Reno
greetings also to nonick2 out there where ever you are.
Later the worm displays the following error message:
Error While Analyze DirectX!
The worm searches for the following processes in memory:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
IAMSERV.EXE
IAMAPP.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
Once found, the process is terminated. The worm then searches and deletes
all files in the directory from which the target process was launched. If
any files cannot be removed, Goner will note the file name(s) in WININIT.INI
and automatically attempt to remove these files the next time your computer
is restarted. Goner also specifically targets the directory: "C:\Safeweb"
and deletes all files from this folder.
The worm drops a copy of itself as "gone.scr" to the System directory, and
modifies the registry to ensure it is run on Windows startup. The worm adds
the value:
%System%\gone.scr
to the following registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
and sets the value data to:
"%System%\gone.scr"
The worm also utilizes ICQ and sends itself to the Contact List users who
are currently online. If the worm finds the mIRC folder, it creates the file
remote32.ini and adds references to this file into the mirc.ini file. The
code in the remote32.ini file is a zombie and may be used in a DoS attack.
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Probably a bug in the virus!) Or maybe somebody with a sarcastic sense of
poetic justice hacked the virus and instructed it to send the original
author's personal info to the FBI. If wishes were wings, pigs would fly.
-Gary
-----Original Message-----
From: Todd Anderson [mailto:tanderson@...]
Sent: Wednesday, December 05, 2001 9:55 AM
To: 'vantage@yahoogroups.com'
Subject: [Vantage] The list is back online
To All:
The Vantage list is back online.
After reading through the info on the Goner virus yesterday it appears that
as long as attachments are blocked the virus cannot spread.
I'm still not sure I understand how we all received the binary junk
yesterday in the body's of several emails but it appears to be harmless.
So, another day begins ...
Todd Anderson
======================================
Win32/Goner.A.Worm
Also known as W32.Goner.A@mm
The worm attaches itself to an email with the subject line "Hi", and
attachment name "gone.scr". The message body reads:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Once activated, the worm displays a message box about its origin.
pentagone
coded by: suid
tested by: ThE_SKuLL and |satan|
greetings to: traceWar, k9-unit, stef16,^Reno
greetings also to nonick2 out there where ever you are.
Later the worm displays the following error message:
Error While Analyze DirectX!
The worm searches for the following processes in memory:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
APLICA32.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
CFINET.EXE
IAMSERV.EXE
IAMAPP.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
Once found, the process is terminated. The worm then searches and deletes
all files in the directory from which the target process was launched. If
any files cannot be removed, Goner will note the file name(s) in WININIT.INI
and automatically attempt to remove these files the next time your computer
is restarted. Goner also specifically targets the directory: "C:\Safeweb"
and deletes all files from this folder.
The worm drops a copy of itself as "gone.scr" to the System directory, and
modifies the registry to ensure it is run on Windows startup. The worm adds
the value:
%System%\gone.scr
to the following registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
and sets the value data to:
"%System%\gone.scr"
The worm also utilizes ICQ and sends itself to the Contact List users who
are currently online. If the worm finds the mIRC folder, it creates the file
remote32.ini and adds references to this file into the mirc.ini file. The
code in the remote32.ini file is a zombie and may be used in a DoS attack.
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/