|
|
I-Worm.Gone Viruses Information
| Name: |
I-Worm.Gone |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Goner
This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via the Internet pager ICQ. It attacks an IRC channel, utilizing a Trojan script and protects itself from anti-virus programs.
The worm itself is a Windows PE EXE file about 38 KB in length and written in Visual Basic. It is packed by the program UPX. After unpacking, it is 148KB in size.
An infected message contains:
The worm activates from an infected e-mail only when a user clicks on an attached file. Then it installs itself to the system and runs its spreading routine and payload. It displays animated windows with the following text:
Then it displays the following message dialogue:
Installation
While installing, the worm copies itself to the Windows system directory with the name GONE.SCR, and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun C:WINDOWSSYSTEMGONE.SCR = C:WINDOWSSYSTEMGONE.SCR
Following this, the worm hides its main window, and continues spreading.
Spreading via E-mail
In order to send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
{Goner3.bmp}
Spreading via ICQ
The worm spreads through the ICQ client. It uses the library ICQMAPI.DLL, which the worm copies from the directory C:PROGRAM FILESICQ to the Windows system directory. It reponds to the client program, and looks for dialogue windows from the list and answers requests. The window lists are as follows:
Send Online File
Send Online File Request
The worm periodically looks for windows and closes them. The titles of the windows are as follows:
User has declined your request
Can't Send File Request
Send Online File [User Is in N/A mode]
Send Online File [User Is Away]
Send Online File [User Is Occupied]
Send Online File [User Is in DND mode]
User has declined your request
Can't Send File Request
Send Online File Request [User Is in N/A mode]
Send Online File Request [User Is Away]
Send Online File Request [User Is Occupied]
Send Online File Request [User Is in DND mode]
Attacking an IRC channel
The worm scans local disk directories for the file MIRC.INI, creating a new file, REMOTE32.INI, in this directory, and adds it to the file MIRC.INI. This script periodically joins a user with random name to the IRC channel #pentagonex on the server twisted.ma.us.dal.net.
Protection from Anti-Virus Programs
While installing in the computer system, the worm scans the running processes, checking their names from the following list:
FINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
C:SAFEWEB
The worm terminates this process in memory, and erases the file from the disk. Then it erases all files in the process directory with files in subdirectories. The worm looks for remaining files, and sets up its removing after restarting the computer. It adds delete commands to the file WININIT.INI |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.Archi
Ghh.48
HWF.89
Blinker.51
Bomzh.380
Plutto.60
P2P-Worm.Win32.VB.d
Net-Worm.Win32.Mytob.
MKWorm.71
Macro.Word97.Baw
|
|
