Computer upgrades, repairs, troubleshooting and consulting services. Products, virus and malware alerts FAQs and VFaqs.

 

The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

CpuCare.com Home PageBusiness to Business Contact

Virus and Malware Alerts

 

We Build the Best & Repair the Rest! ©

 

Alerts December 2001

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Alerts 2000 Alerts January 2001 Alerts February 2001 Alerts March 2001 Alerts April 2001 Alerts May 2001 Alerts June 2001 Alerts July 2001 Alerts August 2001 Alerts September 2001 Alerts October 2001 Alerts November 2001 Alerts December 2001

 

 

 

 

Top 10 malware reported to Sophos in December 2001

Position Last
month		 Malware Percentage of reports
1 1 W32/Badtrans-B
   92.4%
2 New W32/Goner-A
   1.0%
3 3 W32/Magistr-B
   0.9%
4 5 W32/Sircam-A
   0.7%
5 6 W32/Magistr-A
   0.5%
6 7 W32/Hybris-B
   0.3%
7= 2 W32/Nimda-A
   0.2%
7= New W32/Sheer-A
   0.2%
7= 4 W32/Nimda-D
   0.2%
7= Re-entry W32/Apology-B
   0.2%
Others 3.4%

 

 

This section helps you to understand how it behaves

 

W32/Goner-A spreads by email as a file attachment called GONE.SCR. It uses this name to pose as a screensaver. The worm arrives in an email with the following characteristics:

 

Subject: Hi

Message text: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

 

W32/Goner-A attempts to disable anti-virus products installed on the infected computer. It does this by looking for the following processes:

 

_AVP32.EXE,
_AVPCC.EXE,
_AVPM.EXE,
APLICA32.EXE,
AVCONSOL.EXE,
AVP.EXE,
AVP32.EXE,
AVPCC.EXE,
AVPM.EXE,
CFIADMIN.EXE,
CFIAUDIT.EXE,
CFINET.EXE
CFINET32.EXE,
ESAFE.EXE,
FRW.EXE,
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE,
ICLOADNT.EXE,
ICMON.EXE,
ICSUPP95.EXE,
ICSUPPNT.EXE,
LOCKDOWN2000.EXE,
NAVAPW32.EXE,
NAVW32.EXE,
PCFWallIcon.EXE,
TDS2-98.EXE,
TDS2-NT.EXE,
SAFEWEB.EXE.
VSHWIN32.EXE,
VSECOMR.EXE,
VSSTAT.EXE,
WEBSCANX.EXE,
ZONEALARM.EXE.

 

If the worm finds one of the above processes, it will attempt to terminate it. The worm will also attempt to delete all files from any directory containing files of those names, and creates a file called wininit.ini in order to delete any remaining files the next time Windows is restarted.

Sophos recommends customers check that affected computers are correctly running the latest version of Sophos Anti-Virus.

 

The worm deletes all files from C:\SAFEWEB\

 

The worm also infects the Internet Relay Chat client mIRC. It does this by dropping an mIRC script file REMOTE32.INI, in the mIRC folder and adding a section to MIRC.INI to load the script in the dropped file when the victim uses mIRC.

 

It also propagates using the messaging program ICQ.

 

The worm creates a copy of itself named gone.scr in the Windows System directory. In order to ensure that the worm is run each time Windows is restarted it creates a registry key containing the name of the worm file in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

When the worm is run for the first time, it shows a short graphical display and then displays a bogus error message. This is designed to fool the recipient into believing they received a genuine screensaver and that it has aborted for some reason.

W32/Goner-A graphical display

W32/Goner-A error message

 

 

 

Google
 


 

 

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up