VIRUS ALERT - URGENT

[byron]

Update your Virus Checker NOW, There's a new baddie out in the last 24/48 hours.

W32/Goner@MM, also known as Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus that spreads via Microsoft Outlook email and ICQ instant messaging programs. This mass-mailing worm will arrive from someone you know with the following email message:


ô¿ô
www.education-jobs.co.uk
www.alexander-advertising.co.uk

 

[BarryD]

Block / Disable *.SCR attachments

So far we've disabled over a 100 infected files today alone on our Mail servers. The poor little thing is going like the clappers - must buy the hamster a drink at the end of the day.

Normally we only see about 400 a month - so this must be a bad one.

 

[Col]

And what was the" following email message"? ;-)

 

[Guest]

Re: VIRUS WORM_GONE.A

WORM_GONE.A
Risk rating:
Virus type: Worm
Destructive: Yes

Aliases:
GONE.A, WORM_GONER.A, I-Worm.Goner, Gone, W32/Goner@MM, Win32.Goner.A@mm, W32/Goner.ini, W32/Goner-A, Pentagone

Description:
This destructive, memory-resident worm is a Visual Basic-compiled Windows executable that propagates via email using Microsoft Outlook and through ICQ.

It finds certain files in memory and then terminates the processes of these found files. Thereafter, it executes its destructive payload of deleting files.

Solution:
Manual Cleaning on Windows 95/98/Me Systems:

Reboot the computer.
Before the startup logo appears, press F8.
Choose the “Command prompt only” option.
Go to the %System% directory. %System% is variable. It is usually located at C:\Windows\System.
At the command prompt, type the following command then hit the Enter key:
attrib –s –h –r gone.scr
Type the following command and then hit the Enter key to delete the Worm file:
del gone.scr
Restart the computer.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>Run>%System%
Look for the following registry entry and then delete it:
gone.scr
Delete all files named REMOTE32.INI in your mIRC folders.
Either delete or restore from backup the file MIRC.INI.
Manual Cleaning on Windows NT/2000 Systems:
Kill all running instances of the worm in the task manager. Look for applications named “pentagone” and for processes named gone.scr. Kill these processes.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_GONE.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner.
Remove the registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\%System%\gone.scr
Delete all files named REMOTE32.INI in your mIRC folders.
Either delete or restore from backup the file MIRC.INI.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.



Tim Eades
http://www.btinternet.com/~tim.eades/

 

[peterg]

it says \"Hi\" in the subject line...

and "here's a screensaver you will love" or something similar

We shutdown our MS Exchange server last night as we started getting hit from North America around 4:30pm.........

 

[peterg]

full info here for all versions of MS Windows..

http://vil.nai.com/vil/virusSummary.asp?virus_k=99272

 

[Col]

Re: it says "Hi" in the subject line...

Just curios.
Just heard, company firewall upgraded against this one, thanks

 

[billskip]

Re: VIRUS WORM_GONE.A

just tried wot you advised TimE..computer dont work now wot do you advise I do next...

 

[Guest]

Re: VIRUS WORM_GONE.A

First thig what OS are you using is it 98, ME ?

Tim Eades
http://www.btinternet.com/~tim.eades/

 

[Guest]

Re: VIRUS WORM_GONE.A

In what way wont work, could you give a few more details. Does it boot, can you get to OS selection can you boot in safe mode etc.

I have just followed procedure on all OS's (98,ME,NT & 2000) with the worm after your message and have come across no problems myself.

Tim Eades
http://www.btinternet.com/~tim.eades/

 

[JohnR]

I am getting fed up thanking you all - back I went to McAfee and got the latest patch, so I now have to log off and reboot!

 

[boatone]

It tried to get in here a few minutes ago hiding in the old snow white emails. McAfee saw it straight away....


TonyR
boatone@boatsontheweb.com

 

[ccscott49]

Too, effing late for our work server, crashed under the pressure, its a real bastard this one!

 

[ArthurWood]

McAfee alerted me to it yesterday morning. Then Viruscan had a problem with it. Seems OK now, or is it still lurking?

 

[Scubadoo]

I hate MacAfee a bit slow getting fixes, the some others already had the fixes available!

Spent last night trying to sort this virus out ready for a fix this morning (3,500 users), why oh why do people have to open every mail sent to them from unknown orgin.

RM.

 

[Guest]

What a day

So far up to 16.45 today I have received 18 mails with W32/Goner@MM and 4 with badtrans and that has just been to my yahoo account.

I have tried to contact the admin at yahoo as their mail servers are supposed to be running an AV, just shows it's not only home users that forget to update their ide files.

Tim Eades
http://www.btinternet.com/~tim.eades/

 

[Guest]

Sorry to go on, but

I think the last 24/48 hours have again demonstrated just how vunurable you can be when carrying out , what are now, everyday tasks such as reading your email or browsing the web.

I know I keep banging on about it but we are at the stag now where we can no longer rely on our mail service suppliers or ISP to keep on top of these instances of virus attacks.

What has made it worse is one of the leading virus writers from a few years ago has decided to go legit (in his view) and has now released a virus and worm building kit which is a free download on the net.So now any d1psh1t with a pc and a modem can cause havoc.

Steps to take:

1. Please, please get rid of Outlook and use Eudora. This will not stop you getting infected but it will stop the worm ripping contacts from your address book and sending itself and the virus to all your contacts.

2. Get an Anti Virus package. There are a couple of free ones available but it is worth spending £25 - £50 on a package that will update itself.

3. Check your updates on a regular basis. In the options or properties menu of most packages it will tell you when it was last updated.

4. Do a regular virus scan of your PC. Virus' dont just spread through email. They could be on the free CD you got with a PC magazine

5. If you use a firewall as well make sure it is letting your AV software connect to its home site to download updates.

6. Never open an attachment without first scanning it.

These steps will not get rid of virus' and infections but hopefully it will limit the damage they can do.

One last thing, enjoy your computer. Surf the net there's a world of infromation out there. But like most things in life be carful.

Tim Eades
http://www.btinternet.com/~tim.eades/

 

[Scubadoo]

Re: What a day

I don't think they forgot to update, actual fixes have only really started to be available. E.g. In our company we took action to stop the spread but it took a little longer to then get a proper fix and target infected users.

RM.