RE: Gone Worm

From: Chris Eidem (jceidem@dexma.com)
Date: 12/05/01


Date: Wed, 5 Dec 2001 15:33:39 -0600
From: "Chris Eidem" <jceidem@dexma.com>
To: "Andrew Blevins" <ABlevins@arrowheadgrp.com>, <incidents@securityfocus.com>

not too difficult to clean up.

1. shut down the program (gone.scr) from task manager
2. dir \gone*.* /s (it dumps itself in a variety of places:
   \windows\system, \winnt\system, \temp, \winnt\profiles
   but one tricky place is that it dumps itself into the \winnt\system32
dir
   with the system, hidden and read-only bits set so make sure to do a
      attrib go*.* in that dir and make sure it isn't there. if it is,
   attrib -h -s -r gon*.* and then delete them
3. delete the key in the registry, it's in
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr
4. reboot and if you dug it out of all of its hiding places, you
shouldn't see it running.

hth,
chris

> -----Original Message-----
> From: Andrew Blevins [mailto:ABlevins@arrowheadgrp.com]
> Sent: Wednesday, December 05, 2001 12:02 PM
> To: incidents@securityfocus.com
> Subject: Gone Worm
>
>
> Has anyone had any success with isolating the Trojan script
> with this worm,
> and having a for sure successful cleanup? Any help appreciated, and I
> apologize in advance if I have missed a previous posting.
> Blevins
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Malicious web sites
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Distributed ICMP/UDP scan or attack?
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • Re: strange attacks - flood udp packets from 1030 to msql
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Can anyone identify this backdoor?
    ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
    (Incidents)