Internet Security Systems Security Alert
December 4, 2001
Goner/Pentagone Mass-Mailer Worm
Synopsis:
Internet Security Systems (ISS) X-Force is aware of a new virulent e-
mail worm that is currently propagating rapidly. The worm is disguised
as an .SCR screensaver file and is propagated via email and the ICQ chat
network. Goner is mildly destructive and generates a large amount of
network traffic, which may overload network devices and email gateways.
Goner also attempts to disable personal firewall and antivirus software.
Users who rely on these products may or may not be protected. In
addition, the Goner worm contains a powerful distributed denial of
service (DDoS) component, which may enable attackers to control infected
systems over the IRC (Internet Relay Chat) network to initiate flooding
attacks on targets.
Description:
The Goner worm infects Microsoft Outlook and Microsoft Outlook Express
users by delivering the worm executable in the form of an .SCR file
attachment. The filename is GONE.SCR. This file needs to be manually
executed by the user to spread. The body and subject each infected email
is identical. Upon infection, the Goner worm will send a copy of itself
to every contact in the user's address book.
Microsoft Outlook 2002 will block potentially harmful attachments by
default. Outlook 2002 will also prompt users with the following
information in a dialog box if the worm is executed:
A program is trying to access e-mail addresses you have stored in
Outlook. Do you want to allow this?
If this is unexpected, it may be a virus and you should choose "No".
The following is an example of infected email message:
Subject: Hi
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
The worm also has the ability to propagate via ICQ if it is installed.
Goner uses ICQ's ICQMAPI.DLL interface to send copies of itself to all
contacts that are currently online. The contact must approve the file
transfer to receive a copy of the worm. The contact must then execute
the file in order to be infected. The worm also includes a backdoor to
infect mIRC installations, so that they can be used to launch IRC-based
distributed denial of service attacks.
The Goner worm copies itself to the infected user's hard drive, and then
points a registry key to the file location to execute the worm each time
the system reboots. The following registry key is created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\%System%\gone.scr = %System%\gone.scr
Goner also attempts to disable antivirus and personal firewall software.
The list of antivirus and personal firewall executables appears to have
been taken from a previous worm, known as I-Worm.fog. More information
on the I-Worm.fog email worm is available at:
http://www.avp.ch/avpve/worms/email/fog.stm
The Goner worm kills the following processes upon infection, and then
attempts to delete the associated executables:
IAMAPP.EXE - AtGuard Personal Firewall
IAMSERV.EXE - AtGuard Personal Firewall
APLICA32.EXE - unknown
ZONEALARM.EXE - ZoneLabs ZoneAlarm
ESAFE.EXE - eSafe, Aladdin Knowledge Systems
CFIADMIN.EXE - ConSeal PC Firewall
CFIAUDIT.EXE - ConSeal PC Firewall
CFINET.EXE - ConSeal PC Firewall
CFINET32.EXE - ConSeal PC Firewall
PCFWallIcon.EXE - ConSeal PC Firewall
FRW.EXE - ConSeal PC Firewall
VSHWIN32.EXE - McAfee VirusScan
VSECOMR.EXE - McAfee VirusScan
WEBSCANX.EXE - McAfee VirusScan
AVCONSOL.EXE - McAfee VirusScan
VSSTAT.EXE - McAfee VirusScan
NAVAPW32.EXE - Norton AntiVirus
NAVW32.EXE - Norton AntiVirus
_AVP32.EXE - AVP Scanner
_AVPCC.EXE - AVP Control Centre Application
_AVPM.EXE - AVP Monitor
AVP32.EXE - AVP Scanner
AVPCC.EXE - AVP Control Centre Application
AVPM.EXE - AVP Monitor
AVP.EXE - AntiViral Toolkit Pro (AVP)
LOCKDOWN2000.EXE - LockDown 2000 (
http://harbortelco.com/)
ICMON.EXE - Sophos Antivirus Monitor
ICLOAD95.EXE - Sophos Antivirus for Windows 95
ICSUPP95.EXE - Sophos Antivirus for Windows 95
ICLOADNT.EXE - Likely Sophos Antivirus for Windows NT
ICSUPPNT.EXE - Likely Sophos Antivirus for Windows NT
TDS2-98.EXE - TDS-2 Trojan Defense Suite (
http://www.diamondcs.com.au/)
TDS2-NT.EXE - TDS-2 Trojan Defense Suite (
http://www.diamondcs.com.au/)
SAFEWEB.EXE - Safeweb
Recommendations:
ISS X-Force recommends that all users and system administrators update
their antivirus software and initiate a virus scan.
Network administrators may choose to filter ICQ traffic during an
infection to block further propagation. ICQ client to server
communication is conducted over TCP port 5190. Network administrators
may also block the worm's communication over IRC by blocking the host,
"twisted.ma.us.dal.net".
Consider upgrading Microsoft Outlook email clients to Outlook 2002.
Outlook 2002 has many security features that will block the propagation
of Goner and many other worms.
To remove the Goner worm from your system:
1. Delete the registry key created by Goner:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\%System%\gone.scr = %System%\gone.scr
2. Delete the file GONE.SCR from your system. Depending on your
configuration, this file will be in C:\WINDOWS\system\ or
C:\WINNT\system32\.
ISS X-Force will provide detection and assessment support for this
vulnerability in upcoming X-Press Updates for RealSecure Network Sensor
and Internet Scanner.
RealSecure Network Sensor:
ISS RealSecure intrusion detection customers may use the following
user-defined signature to detect the 'GONER' worm. Follow
the instructions below to apply the user-defined signature to your
policy.
- From the Sensor window:
1. Right-click on the sensor and select 'Properties'.
2. Choose a policy you want to use, and click 'Customize'.
3. Select the 'User Defined Events' tab.
4. Click 'Add' on the right hand side of the dialog box.
5. Create a User Defined Event.
6. Type in a name of the event, such as 'GONER'.
7. In the 'Context' field for each event, select 'Email_Content'.
In the 'String' field, type the following string:
I am in a harry, I promise you will love it!
8. Click 'Save', and then 'Close'.
9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the
version of RealSecure you are using.
This should detect any incoming email containing the worm that is being
delivered to an SMTP server. RS can also be modified to detect the GONER
worm destined to a POP server. In addition to the steps above, the
policy file template must be modified using a text editor. In the SMTP
field of the \template\protocol section add the POP ports to SMTP
definitions. This section is shown below:
[\template\protocols\];
http =S 80;
ftp =S 21;
smtp =S 25, 109-110;
pop =S 109-110;
imap =S 143 220;
nntp =S 119;
[\template\userdefinedsignatures\];
Additional Information:
ISS X-Force Database,
http://xforce.iss.net/static/7638.php
F-Secure,
http://www.f-secure.com/v-descs/goner.shtml
______
About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@xxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.
X-Force PGP Key available at:
http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforce@xxxxxxx of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBPA0/FzRfJiV99eG9AQFaCQP8D8hx7oReZSzisyeTHmewcUtNTKltHZG+
vohxxnZaz47N2IM3he3kCbiKpxAFrXBH2R+CMtDYqcwVnMFiazW6wBllx89wCxpn
wBJlz4xAR8ABayFSfUuNf1w5zzsgo0UaQQqydtcsfqaQqIu7SzrMAx0qU6ZwL/20
sJACGbjTv9E=
=nr86
-----END PGP SIGNATURE-----
