RE: Gone Worm

From: Chris Eidem (jceidem@dexma.com)
Date: 12/05/01


Date: Wed, 5 Dec 2001 15:33:39 -0600
From: "Chris Eidem" <jceidem@dexma.com>
To: "Andrew Blevins" <ABlevins@arrowheadgrp.com>, <incidents@securityfocus.com>

not too difficult to clean up.

1. shut down the program (gone.scr) from task manager
2. dir \gone*.* /s (it dumps itself in a variety of places:
   \windows\system, \winnt\system, \temp, \winnt\profiles
   but one tricky place is that it dumps itself into the \winnt\system32
dir
   with the system, hidden and read-only bits set so make sure to do a
      attrib go*.* in that dir and make sure it isn't there. if it is,
   attrib -h -s -r gon*.* and then delete them
3. delete the key in the registry, it's in
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr
4. reboot and if you dug it out of all of its hiding places, you
shouldn't see it running.

hth,
chris

> -----Original Message-----
> From: Andrew Blevins [mailto:ABlevins@arrowheadgrp.com]
> Sent: Wednesday, December 05, 2001 12:02 PM
> To: incidents@securityfocus.com
> Subject: Gone Worm
>
>
> Has anyone had any success with isolating the Trojan script
> with this worm,
> and having a for sure successful cleanup? Any help appreciated, and I
> apologize in advance if I have missed a previous posting.
> Blevins
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com