Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Have you been hit by the “Goner” worm?

Locked

Another new virus is spreading across the Internet. This one is referred to as the “Goner” worm (also GONE.A, WORM_GONER.A, I-Worm.Goner, Gone, or W32/Goner@MM). This one can do some serious damage and it is listed as “high risk” by a number of major anti-virus vendors. Have you been hit?

For more info, see:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A

Topic

In a word: No

In reply to Have you been hit by the “Goner” worm?

We have multiple layers of anti-virus protection. All of our layers had the right signature file to defeat this one.

James

It was caught

In reply to In a word: No

We also ‘caught’ it as it came in on the Exchange server. Yet, what worries me is the Proxy and Terminal Server, which both have BlackIce on them. I read the description of the it at antivirus.com, and I was told by a colleague that this virus hasthe ability to shut BlackIce down. Whch goes to show that you need more than one form of anti-virus software on your boxes esposed to the world.

Not Exactly

In reply to It was caught

Black Ice is a nice piece of kit for the home user, but there’s NO WAY I’d trust it on a commecial machine such as a Terminal Server or a Proxy Server.

Neither of these machines should be directly attached to the internet, I think that you shouldseriously consider spending a few hundred bucks on a firewall and consider some kind of mail sweeper SMTP gateway.

This worm WOULD be able to shut down an unprotected machine, you should patch Outlook on the terminal server, and the proxy server couldn’t get hit by this virus if a) no-one maps any drives to that machine, and b) No-one uses any e-mail software on it. This is an “e-mail” worm, meaning that it can’t infect a machine in the way Code Red did, you have to actively click on the attachment to get the worm going.

You’ve got and Exchange server, a Terminal server and a Proxy server, I’d hate to think that these machines are serving a network where the only protection from the internet is a Proxy server, this does a reasonable job for what it does, but it is NOT a firewall. The price of Firewalls has dropped recently, protect your investment, (And your job!) MimeSweeper, which is what I use for an SMTP gatekeeper will sit on an exchange box in a small network (but if you go for more than 25 users then get a separate box) it runs on NT workstation, and it can be independant of a domain, and stop all those nasties at the door!

Nope

In reply to Have you been hit by the “Goner” worm?

I use trend micro AV. The company that you have the link for the virus info. My site gets updated every morning at 7:00 which updates all my servers,exchange servers, and workstations automatically. Well since there pattern file wasnt released until 7:44 this morning, all I had to do was loginto my ant virus server and click one button which updated my entire network and whammm I was protected. Thank god for Trend…I still sing there praises, and after today even more.

Rad

Hey rad… not for nothing but

In reply to Nope

Are you able to block extensions in micro av?

If so, try using my method of extension blocking. I basically never have to worry about updating my definitions.

The bad guys can throw a million brand new vbs viruses at my network and they will never get thru. Even with 2 year old virus definitions.

Blocking extensions in my opinion is the only way to safeguard your network with the least amount of work and maintenance.

Just my thoughts

Yes it can BUT i have to update my

In reply to Hey rad… not for nothing but

store.exe in order to turn on the advanced mapi functions. Since i am the only one in the IT department that one keeps moving on the list of things to do. But I still no fear cause Trend is Great.

Rad

Update… You will be glad you did

In reply to Yes it can BUT i have to update my

I’m telling ya…. Once it is working you can just sit back and relax every time some idiot comes out with a new virus.

I used to have to baby sit our virus posture. Always being on the defensive.

Now I breath easy and can work on other things without having to worry about a nasty slipping thru because my definitions did’nt catch it.

Just an suggestion from one admin to another.

Reply To: Have you been hit by the “Goner” worm?

In reply to Update… You will be glad you did

“I’m telling ya…. Once it is working you can just sit back and relax every time some idiot comes out with a new virus.”

So all you do is lean back and wait until the next big ActiveX/Java/OE/Outlook/HTML exploit hits your systems, this time with something more sophisticated than just a .scr.pif and hits you? Extension blocking might be nice as ONE layer of defense, but to sell this as THE solution is a bit careless, don’t you think?

You need to define exploit vs virus

In reply to Reply To: Have you been hit by the “Goner” worm?

They are 2 different things.

While A virus writer might use a new exploit to carry out his evil deed.

His delivery method still has to be employed via a e-mail attachment.

By blanket blocking attachments, you are essentially stopping futureviruses.

So lets say a virus writer comes up with a new virus that exploits a hole in Outlook that was just discovered an hour ago. And that virus writer packages the virus as a vbs script.

It is fair to say that any attempts to send a vbs script into my network will be blocked because I do not all vbs files thru e-mail. Hence effectively blocking the attack.

This method is commonly used in firewalling. I have just employed it to e-mail.

In firewalling, you only allow in want youwant. If there is a new exploit that uses tftp and you don’t allow tftp in, then you will not be affected. Same principal.

Take a look at the following url for all of the extensions that I block:
http://www.directionweb.com/nettools/extensions.txtI basically have gone thru my system directories and selected every known file extension that can be used by the system and blocked it. With some exeptions of course that my users need to accomplosh their day to day jobs.

And yes, I do sit back and wait. And since my network has not been taken down in over 2 years, I beleive my method works. It is just one layer of defense that I employ. But it is a big part of it when it comes to e-mail borne attacks.

That’s an interesting POV

In reply to You need to define exploit vs virus

Since you’ve taken it upon yourself to burn everyone who has tried to help you, I’m not going to bother, ignorant Admins who think that their solution is “the” solution are the cause of the proliferation of viri such as Code Red.

I don’t doubt that by blocking “every known extention” you are able to keep the wolf from the door as far as blocking VBS goes, but you’re a virus writers dream come true, Visual Basic Script is just one way of hacking your system, but just by sending your users a spam mail saying “come and look at my site” and then exploiting an explorer “hole”.

Read any security book (I’d suggest “Hacking Exposed”) and you’ll see how poor your defenses are, I wouldn’t keep my money in a bank where the only security is to check the bags that are attached to the people coming in through the front door, which is what you’re suggesting people do, I’d want safes, glass walls between the people and the cashiers, panic buttons, alarms and everything else that goes with Secure Banks today, because otherwise, the moment someone gets round your defence, you’re stuffed! (For example by sending your user a virus in a zipped file, or are you giong to block .zip extentions as well?)

I’d really hate to be a user on your network, they’re so tied up with pointless security. They probably have a hard time doing anything on your network because you’re too focussed one kind of defence to look at the alternatives that may make your users lives easier.

Jon…. Before you blast…

In reply to You need to define exploit vs virus

First, you owe me an apology.

Second, I have read hacking exposed, several times.

I never claimed that this is a “fix all”.

But since, as I have said before, that my network has not been infected in 2 YEARS, since I have employed blocking.That has to count for something.

Granted, I do employ various other measures.
ACL’s at my routers, DMZ’s, patched machines, Bastion hosts, sniffers, nat for production machines, the list goes on.

But at the mail gateway what defense do you have? And since every e-mail bourne virus that I have seen has an attachment to it. Now whether or not the attachment is autoexecuting or not is not the issue.

The issue is if you never let the end user have the infected attachment they can not cause harm.

Let’s refer to nimbda. If you installed IIS without install index server, and if you follow the rules of securing IIS. You made sure that the mappings for ida and idq were gone. So when nimbda came out, you were automatically immune from the exploit.

And yes, if I find that zip files are carrying viruses I will block them too. The same way I block pdf’s, since it is now possible to nest a virus inside a pdf.

Maybe I am paranoid. Paranoia is the default emotion of a good admin. As long as you are always thinking that someone is tracking to bring down your network, then you will always be prepared.

I am /.

Lordinfidel – has got it right

In reply to You need to define exploit vs virus

Infidel –

Last year when the Love bug came out, I got nailed by it a second time, the same day I finished cleaning up after the intial attack. I swore never again. I agree with you, I use Antigen, and basically disallow attachments with system implications, I also do not allow MS office files as attachments either, because there is still a bit too much vulnerability in the template/macro battle front, tho most are recognized and documented. I rely on the Quarentine area to hold files, in case anyone really needs them. This allows me to scan them with the lates definitions and distribute them as warrented.

Microtrend is the best thing ,,,

In reply to Update… You will be glad you did

Since sliced bread. I used to use Nortona and Mcfee. Micro had an update for gone in a couple of hours. Ultimately the best thing is block out ext like vbs, exe .scr .bat. Pretty soon we wont allow any attachments and have users use VPN to send them.

Block Extensions

In reply to Hey rad… not for nothing but

As noted in some of the other responses, this is a great idea. For some reason we did not have “scr” blocked, but as soon as we heard about the virus we got it done. Though this approach does end up blocking “valid” attachments, this ensures all infected attachments don’t make into your network. The way to get around the block is to rename the file to something that is not blocked.

The way I tell my users….

In reply to Block Extensions

Renaming is good, but I don’t want them getting into the habit of renaming stuff. Then they will get used to seeing the infamous windows unkownn file type icon and just click on it.

Instead, I tell my users to zip things up that they need to send.

Most AV programs will scan the archive, but they will not pull out files that are blocked.

If if finds a actual virus it will block the entire archive.

How do you block Extensions?

In reply to Block Extensions

It sounds like a great idea, how is it done?

Use Outlook 98 Security Patch

In reply to How do you block Extensions?

Microsoft has had a Security Patch available for a while as “o98secu.exe”. This blocks all attachments in an executable format automatically. I received in the number of 100+ e-mails, and not a single “Gone” virus affected me.

How to block…

In reply to How do you block Extensions?

You need a gateway or message blocking based on content. Norton has both. You need a 3 prong approach, on the workstation/server active scanning, at the firewall/gateway and on the mail server itself. IF you can’t prevent your users from opening attchments from browser based personal mail, you better put all three in place. It is not a matter of how you get hit.. it is a matter of when.

Steve.

Block em’ all…

In reply to Block Extensions

If you are not blocking all “executabe” files types you are taking a high risk with your mail system. We get hit on a daily basis, once burned, twice smart. There is nothing worse than sending an appology to all your customers for sending them infected mail messages.

Steve,
IT Manager for a DOT.COM

block all you want..

In reply to Block em’ all…

We got stung by the goner virus. I work on a helpdesk at a hospital. All users must sign an agreement saying they will not load software on their computer. Our exchange servers are set to block certain types of mail coming in from the outside. But guess what. Someone in administration thought they were above any stinkin agreement, had loaded ICQ on his pc. Tah Dah! Within moments the message was bouncing back and forth, even after turning off mail services.

That’s confidence

In reply to Hey rad… not for nothing but

Just a caution – never, never, never, NEVER, NEVER, NnEeVvEeRr use absolutes when discussing systems!

The only certainties beyond death and taxes are that the low-lifes will always have the time to find a way through; they don’t otherwise have alife, you see.

Please forgive the callousness, but – as an illustration – I watched an A&E (I believe)Special on the design and construction of the WTC last spring. One “assurance” made in an interview on that program was by one of the center managers. His assurance was along this lines: “… these buildings will withstand the impact of a fully-loaded jetliner.” He is missing and presumed dead as a result of the tragedy of 9-11.

I would certainly NOT recommend to ANYONE in this business that they apply less than FULL RESOURCES AFFORDABLE to protecting their systems and their jobs.

Please consider what I’ve said.

Regards.

This virus should not have spread at all

In reply to Hey rad… not for nothing but

How many times do we have to tell people not to open attachements when they don’t expect them? I can recall at least one other virus in the past six months which had similary behavoir basically saying Hi?!? How are you can you look at this for me?!?!?

The pure simple fact of the matter is that most people who are infected with viri of this nature don’t follow the simplest of saftey precautions. Personally I have Outlook XP and couldn’t open the attchment if I wanted to. Lets educate some end users people!

Lessons learned

In reply to Nope

Like radicalis, we use Trend Mailscan (and love it) but learned that Murphy holds trumps. We update virus defs every night, so Goner wasn’t in our update. Like Rad, our admin heard about the worm before it struck and hit the manual update,too, but something went wrong with the download (traffic load at Trend?) that left us with a corrupt file that stopped the service, wouldn’t allow restart, and that kept us from using a fallback of blocking extensions. At least two instances made it into a neighboring WAN and were triggered by users there who shared our global address book. None of our users triggered the messages that flooded in (this time)so cleanup wasn’t too bad.

We downloaded a fresh copy of the defs on another machine, moved it on floppy to the server (they had to read the manual to learn how, but it is a simple copy into the folder) and have issued some new procedures. For one, keep a fairly recent copy of defs somewhere on the server (or even on floppy) as a fallback so that you can at least restart the service and start blocking extensions until you get a valid update.

Thanks for the Info

In reply to Lessons learned

I am going to make a copy of the virus defs right now.

Thanks to Lordinfidel too for info on extension blocking, I am going to move updateing my store.exe to the top of the list.

Rad

Problems with AV updates from all

In reply to Lessons learned

Good work on your recovery!! AV software not updating signature or dat files – That’s a real problem! I have had various AV software progs. (from different vendors, obviously) fail on the update the same way. And we’re talking about client machines,not fancy servers! By the time you get the problem resolved, some other teenage boy has written malicious code, and some machines get infected. These are stand-alone laptops with autoupdate enabled. When I get them back, and try a manual, about 30% of the time I also get lockups, and I don’t use Trend Micro, so it’s not just their problem. Yes, we can educate users… Thank gooness the kids who wrote Goner were caught. I hope several governments get involved to make sure that an example is madeof them!

GONER

In reply to Nope

YES, WE have been hit. Ironically I am in the middle of switching to NAV corporate AntiVirus, which is so much better for us.
it uodates automatically and pushes the updates to the workstations.

Yea But…

In reply to GONER

As of 4:00 yesterday afternoon Norton still had not released a pattern file that would catch this virus. Tren had theres out at 7:40 yesterday morning.

OUCH

Reply To: Have you been hit by the “Goner” worm?

In reply to Nope

If you have Auto Preview or Preview Pane turned on, can you be infected by this virus?

depends on who you ask

In reply to Reply To: Have you been hit by the “Goner” worm?

When we were hit and it was bouncing around on our servers. Many claim they had not opened the attachment. We found in some cases it showed an attachment and sometimes it did. It was our theory those that did not show an actual attachment and showedup in the preview pain were the ones sending out. But if you read a lot of the other postings they stress you have to open the document. The question then is are you really opening the file or not when in auto view.

Trend

In reply to Have you been hit by the “Goner” worm?

i also have multipule layers of antivirus, using Trend’s suite. ScanMail was able to detect it, and Serverprotect isolated to prevent spreading to the clients, protected by Office Scan. One Exchange server that had PE_Magistr.A effects on it, with the GONER worm, caused the antivirus to stop, but did not effect the Server Protect.

Virus software:

In reply to Trend

We are looking for a virus software solution for our mail server (NT4.0,Exchange 5.5). We have demo’d Norton and Trend. I liked Norton better because of the screen that showed me all the info about who sent the infected e-mail, who received it, whatit was infected with, etc. I never found that info in the ScanMail demo. Was it there? Is Trend the way to go?? Thanks for the assist!!!!

ScanMail details

In reply to Virus software:

I’m not the Email Admin, so I don’t have the nitty-gritty, but our ScanMail is set to e-mail the Help Desk (to which all us Techs have access)with a report every time it catches a virus. The e-mail report includes the sender, intended recipient, what the detected virus was, and what the system did with it (cleaned attachment or stripped and stored). I have the Help Desk inbox on my Outlook shortcuts and it is showing 130 unread e-mails at the moment – pretty much guaranteed to be all virus messages. We are pretty happy with Trend and have a better track record than the other campuses in our system that don’t use it.

TREND is the Way to go…

In reply to Virus software:

The info you are looking for is just like the JohnM said. You set it up to email you. I have a folder in my outlook that I send the Virus Alerts into I know immediately when one hits. Also another awesome thing about Trend is that it installs anddoesnt need to reboot. I could go on for hours about the features but I wont. You wont regret going with Trend. I have used it for over 3 years now, and have never had a machine down due to a virus. (knock on wood) 😉

Rad

Antigen is the way to go

In reply to Virus software:

Hi be sure to evaluate Antigen for Exchange from Sybari (www.sybari.com). Switched to this after Anna Kournikova and haven’t had problems since. Mulitple scan engines and configurable file filters can be set up. I sleep easy now. Gui takes a little getting used to but there is a very good user guide.

Trend is great…sorta

In reply to Trend

We have Trend on server & clients. We also had/have about 100 out of 300 users infected. Why? No new signature files yesterday morning. Didn’t get them til afternoon. By that time, one user (let’s call him Mr. X) received the file from his wife. He opened it (because it said HI!, and it was from his wife!) and boom!
Why boom? Well, Mr. X works in IT. Our users all said “Well, it came from Mr. X, so I thought it was safe!”
And yes, a number of them are still asking what the screensaver looked like.

What software was quickest

In reply to Trend is great…sorta

I support two networks. One running Network Associates Groupshield for Exchange the other running Symantec’s Exchange antivirus. I couldn’t get updates until @3 pm for either of them. The Groupshield was the first network got hit around 11am? Does anybody know what software was the quickest to get out their updates?

Yep

In reply to Have you been hit by the “Goner” worm?

We are running the latest McAfee(4173) on the desktop and Sophos on MailMarshal. It got through. Mail is out for the day as we clean out PCs and servers.

How bad does it have to get before the death penalty is warranted for the people that write this stuff. No I’m not joking.

Yes…Already up to about 40

In reply to Have you been hit by the “Goner” worm?

Of course no sooner than I sent out my virus bulletin this morning about this virus.

About 5 of my users contacted me asking me to retrieve the quarrantined scr file for them.

In case your new to any TR discussions about viruses and have neverread any of my posts. I am a big advocate of blocking the majority of file extensions at the mail gateway.

So in fact, even though a new virus comes out. Using my method, your users will never receive the actual virus attachment.

It just goes to show that users are idiots and should never be trusted with policing themselves.

Managed virus protection way forward

In reply to Have you been hit by the “Goner” worm?

Everything is tiered these days and virus protection is one of them. Get yourself an internet based managed AV service and a good corporate level AV product on your network. Keep it up to date and you’ll beat most!

Got it….

In reply to Managed virus protection way forward

We have Scanmail running on our Exchange server and InoculateIT on the desktops, all signatures files had updated in the morning successfully. Being stuck in meetings all day we were not aware of the outbreak and were not able to update signatures or block attachments in time, unfortunately this one got us.

Alerts came in little too late

In reply to Got it….

I’m signed up for security alerts from both McAfee and Trend Micro. Both of them came around mid day. One got it yesterday and second one today. Not too bad. Expecting more viruses as it’s the holiday season. More excuses for click happy folks!

well,,,

In reply to Alerts came in little too late

You cant sit back and wait you have to check logs to see if anyone has gotten a virus. We knew because we started receiving tons of emails from a person who opened the .scr up. After that we took them offline and clicked to update the Micro. After that it was done. The Exchange server reported catching 840 infected emails and moved to delete the attachment and we were good.

I got the virus

In reply to Have you been hit by the “Goner” worm?

I got the virus in about 20 workstations. I am having Norton Antivirus corporate edition program and I am still waiting for a new definition file from Norton.
On the mid-time I search and delete all files named gone.scr on inflected workstations and delete the registry Key. See the following link for more info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html

Take care now. Bye

AV Scanning @ Internet level

In reply to I got the virus

I was not hit with this virus nor were ANY of the customers of a company called MessageLabs. Apparently they are able to do this because they use 4 AV scanners and have their own scanner called skeptic. I spoke with one of their guys a few weeks agoand he said that they have never had ANY of their customers infected with a virus. I didn’t believe them so I checked them out and they are telling the truth.

I saw it with my own eyes

In reply to AV Scanning @ Internet level

My company was conducting a test pilot with MessageLabs when a vendor attempted to send us the attachment. The email was sent to us by 9 AM on the 4th. MessageLabs caught it and stripped the attachment. Our internal servers were stripping .exe and .vbs attachments but not .scr. I’m the Help Desk manager and if we would have been infected, my life would have been hell. MessageLabs saved me A LOT of hassle and the company a fortune. (And, can you believe they decided the service was too expensive and they nixed the project?)

Hit this morning.

In reply to Have you been hit by the “Goner” worm?

Yes — It was received with the classic “How are you? When I saw this screensaver…” message from a vendor. Fortunately I was suspicious enough not to open the “Gone.scr” attachment. I have since put out the word to our users.
-Bill Peterson
Catalina Express

Yes

In reply to Have you been hit by the “Goner” worm?

Got it this morning. Fortunately, Norton had been giving me problems with our end users, so last week I started rolling out McAfee VirusScan. Only 3 users were infected, the last three still running Norton.

Hit this evening

In reply to Have you been hit by the “Goner” worm?

After 3 mail alerts about the virus to the employees.. sure enough, 5 minutes before quitting time. Only reason it hadn’t been caught by our mail server is because we were waiting until after hours to reboot the mail server for viri def updates (the guy doing these updates… does them… wrong…)
But, was 5 out of 800 users infected… not bad.

Dim Wits

In reply to Hit this evening

We had 5 dim wits out of 40 here push the button and start the virus. We are a Sub. of a large company and it got through the “Ac…” in out Global list before I stopped it. It never should have made it in here. We use World Secure and they did not have the 4174 virus pattern on there servers yet. I tried to stop the smtp relay service but it did not stop until I pulled the network cable off of the server. 18 minutes of mail got out from the time we were infected untill I had corrected the problem.

Do yourself a favour……..

In reply to Dim Wits

Get a copy of Sophos.

Its the lightest virus engine i have ever come across. The updates are regular and can be updated via a logon script.

The trouble shooting time saved alone would pay for twice over.

Sorry to sound so smug but virus attacks dont get further than my inbox. It really works.

http://www.sophos.com

Want smug?

In reply to Do yourself a favour……..

Viruses in my network never even make it to my users inbox.

And it has nothing to do with my AV scanner picking up viruses.

I can use a free crappy av scanner for exchange, as long as I can quarrantine extensions at the mail gateway.

Screw updates and virus definitions. Remember someone has to get infected first before an update is released.

They only read the wrong ones

In reply to Have you been hit by the “Goner” worm?

Yeah, I got hit. I received a warning about the virus and promptly sent an email warning my 100+ users to avoid it. Delete it, that’s what I said….

I even set the email server to screen out the .scr extension on attachments. Of course, it was too late to screen it, but I hoped my warning would be heeded.

It’s 9:00 PM Eastern Time. I’d rather be home with my kids, but I have Users.

Remind me to never, ever, trust a User again…….

Why Don’t they LEARN from past mistakes?

In reply to They only read the wrong ones

We’ve had about 5 of these viruses starting with bubbleboy. We didn’t implement the screen until it was too late. You would think that users would learn. I guess it isn’t all that bad. Only 5 out of 50 actually clicked the damn attachment(Of course that was because I did a group broadcast warning about the virus). Of course the exchange server was down most of the morning. And 2 of the users who clicked the virus actually had the nerve to ask me when it would be back up because they wantedto see what the screen saver did GEESH!!!!!

The wonders of Unix

In reply to Have you been hit by the “Goner” worm?

We replaced every system in our company with BSD machines (including admins and non-techs) a while ago. Not only did this greatly improve productivity (no more crashes, etc.) it also protects us from most malice we’d face otherwise. mutt as an emailclient is just not affected, so we’re safe.

Did we get hit? Heck, yeah. According to our .procmailrc each employee got between 10 and 1300 of those nasty bastards. Neatly intercepted and stored away that stuff now awaits analysis and us contacting our less fortunate peers.

Norton is a little slow

In reply to The wonders of Unix

Does anyone else run Norton on their systems? I love Norton to death, it seems to run so well on our Windows 2000 machines BUT they always seem a little slow about getting out the DATs. Same thing happen with Nimda. Needless to say I had to pull the plug to our internet and external mail to protect us from the worm untill I got the DATs at 4 cst (3 hours of down time). It worked and saved us a lot of problems but it didn’t make some people very happy.

Virus Scanners

In reply to Norton is a little slow

I’ve stopped deploying and using scanners completely. They’re rarelt up to date (even if synced twice a day one usually gets the first outbreak “live”) and deliver a false sense of security.

What we’re doing is easy: We educate. From Admin to Sales, from IT-Engineer to CIO, from President down and Frontdesk up – everyone gets the same Spiel: DON’T.

There’s steps one can take: Remove Outlook and install something more stable and less exploitable. Teach your staff NOT to open attachments. Tell them WHAT an attachment is and why it’s dangerous. Make this a policy. Fire people who violate the policy. Sounds harsh? I don’t think it is.

If employees are allowed to take laptops home, they get a 45 minute training. It’s “online” via a RealVideo they must watch. When finished watching, they “sign” an aggreement online. Again, violating these policies results in dismissal. A VP had to go, and our Prez was quite clear on this one.

Pulling the plug, disinfecting machines, etc. is justnot an option. It never is, this company don’t sleep 🙂

Yep, we got it

In reply to Have you been hit by the “Goner” worm?

We were hit first thing this morning at the law firm where I work in Tech Support. A number of our users thought it was an in-house e-mail and therefore “safe” to open; so lots of them did! Our mail servers were taken offline before 9:15 am Pacific time to clean off the messages.

Yes we have

In reply to Have you been hit by the “Goner” worm?

We have been hit by the Goner worm. We have a corporate e-mail system and it has gone through our global address book. It came with the subject line as “Hi” and inside the e-mail it said something like, “I saw this screen saver and thought of you” and has an attachment. We have sent out the latest virus definitions to the users. They have been informed of the threat and we have the removal tool and instructions to get rid of it.

For more information check out http://www.securityresponse.symantec.com.

Lee-Anne

Wounded is more like it

In reply to Yes we have

My campus has been hit by the worm. Yet my network which is on a different segment/infrastructure has not been affected. I am currently running Norton AV Pro 2001 and Office XP Pro (Outlook 2002) with high security settings. The email arrived but Outlook deleted the attachment and Norton confirmed a clean machine. Our campus email system is a total wreck though.

McAfee, Symantec, or Trend Micro

In reply to Have you been hit by the “Goner” worm?

No, we haven’t been hit with “Goner” yet, but we’re still on the look out for Nimda varients. Network Associate’s (McAfee’s) Knowledge Center posts many known problems with their retail and enterprise VirusScan software.

It’s become a full time job supporting McAfee updates, upgrades, and registry fixes. Did you know that McAfee tech support will send your users a detailed instruction on how to make complex registry changes – scary.

Symantec products seem much more reliable and easier to maintain in a home and medium size LAN environment. The team at Trend Micro have some great solutions as well. Too bad my employer opted to renew a McAfee grant good until 2003 despite my recommendations! Keeps me in work though. . . . 🙂

Symantec Managed by far

In reply to McAfee, Symantec, or Trend Micro

Used McAfee for the longest because people were used to using it, But after myself and other techs having to reghost machines due to security constrants, we went to norton corp.. Updates everyday and with one click.. Also it is protected from those special users.

Got it – but not spread

In reply to Have you been hit by the “Goner” worm?

A number of our employees have received it – our folks have fixed it … but because we are using Notes – it hasn’t been spread to any others inside or outside our company.

Unfortunately, ues

In reply to Have you been hit by the “Goner” worm?

We first got the file at 4:45 Tuesday (12/4) from a consultant who fell for the trap. He noticed the emails going out and called me to warn me.

To make matters worse, the original message was sent to my home account and opened by my wife who, naturally, thought it was safe, since it was coming from me. So I somehow managed to infect myself.

It can sit on a Mac

In reply to Unfortunately, ues

We have about 180 systems. Macs, Suns, Linux, and Windows, but the only one that actually had the virus activated was a Mac. It placed the Virus file on the desktop, deleted it. If a PC had attached to the Mac would it have gone to the PC?

This is an MS virus

In reply to Have you been hit by the “Goner” worm?

Everyone should be calling this virus what it is: a Microsoft virus. It’s not an Internet virus or a computer virus. Only computers running MS Outlook are infected by it.

Goner problem

In reply to Have you been hit by the “Goner” worm?

We were hit by the goner virus yesterday & it has made my life hell since. While we had to reinstall antivirus on several machines in our network I discovered hybrus & lovebug hiding on many machines also. I’m still working on it.

Yes, but appears cleaned

In reply to Have you been hit by the “Goner” worm?

I had two of my fifty users open the attachment. This resulted in just over 1000 infected messages. Luckily it hit at the end of the day, and most folks had gone home. An update to McAfee Total Virus Defense on the Exchange servers was successfulin cleaning the infected messages. I had to do repairs on the two workstations, but am hoping all is back to normal. I checked for an update yesterday when I first heard about the virus, but none were available. Then due to meetings and such (andbeing the only I.T. person) I was not able to get the update in time to keep the virus from getting in.

Another wave – protected this time

In reply to Yes, but appears cleaned

Well, another wave hit, but Groupshield on my Exchange server stripped the virus from the offending e-mails. This new wave was a little strange though. My user who’s account originated the messages was not in outlook (I was with her when it started). 220 messages later, everything is calm again. I did all the manual removal instructions, ran a removal/detection tool from Panda and then reinstalled the virus protection. After all this, I ran McAfee virusscan on all files on the computer, and it found another instance of the virus after everything else said the machine was clean. It was titled gone[1].scr and was in c:\windows\temporary internet files\content.IE5\O1E34T6V\gone[1].scr

I had not seen any mention of this file name or location before (also, doing a search on the pc using *.scr and gone*.* did not find this instance……

It seems to replicate almost randomly

In reply to Another wave – protected this time

We found gone.scr in c:\windows\temp, c:\my documents, and c:\temp as well as in the temporary internet folders. gone[1].scr thru (in one case)gone[37].scr were also found on some PCs, although not evryone’s ans in different places.
We found doinga “show all files” then search on “gone” found all instances, and it was able to be deleted without going to DOS to do it. Of course, remember to empty the Recycle Bin.

yes

In reply to Have you been hit by the “Goner” worm?

We got hit yesterday afternoon and shut down our mail server until we got the update. I was expecting it at home, but I’ve been educating all my friends about email viruses and it seems to have paid off. Too bad we can’t do the same at work, but we’re trying….

Couple of them got through

In reply to Have you been hit by the “Goner” worm?

Unfortunately our scanmail was not blocking the SCR extension which I have now changed, so we had about 7 or 8 people get infected by the Goner virus yesterday afternoon. Being as Norton only came out with the definitions 2 hours later we tried to police the issue as much as possible. Unfortunately although we sent out an “urgent” email warning against opening the attachment we still had a number of people do so. Never underestimate the stupidity of anyone is what I say 🙂

Nothing so far

In reply to Couple of them got through

Our Exchange server has been blocking the virus. No, infections on any of the clients. We got brutalized by Nimda and learned some hard lessons.

However, we still fear someone opening the attachment via Hotmail or Yahoo. So making sure they virus definitions are updated is still important.

As, to users, some are great. They immediately, informed us about a “new” virus from the news. We had already heard about it, but its still helpful.

But, some are amazing. We send out an emaildo not open any attachments labled “THIS IS A VIRUS” and sure enough you will get 1 or 2 people that email you asking for there deleted attachment. 🙂

3 infections

In reply to Have you been hit by the “Goner” worm?

We had three clients get hit, but only because they had changed their Outlook security to allow scripts/attachments. Norton’s Corporate 7.5 missed them and our Mdaemon DKAV missed it also. I removed us from the WAN to prevent our customers/vendorsfrom taking hits and then immediately disabled our email system. I quickly reconfigured DKAV to catch and delete the attachments and this slowed down the onslaught. I removed all infected emails from the email server. By this time, Norton and DKAV had finally updated their software. I “corrected” the 3 infected clients and then brought up email and WAN services. We are still getting infected emails but our two AV packages are catching them.

HELP!! Can’t get gone.scr off Exch Servr

In reply to Have you been hit by the “Goner” worm?

Hi,
I have the gone.scr virus on my Exch 5.5 box and I have run the Symantec removal tool 3 times and after the second time it says it is not found. As soon as I reboot it is back again, any ideas of where it is hiding. I can’t find it running anywhere, i.e. Task man or in the registry. Norton AV keeps quarantining all the instances it finds but I can’t get rid of it. Thanks for any help.

Norton sucks.. Follow these directions

In reply to HELP!! Can’t get gone.scr off Exch Servr

Never ever ever, let your AV product do the work for you. Don’t care if it’s norton, mcafee or trend. Always remove the virus yourself.

Steps
1. Unhide known file extensions and system files.

2. search for gone.scr (i prefer *.scr) and delete that file.

3. Open regedit (start/run/type regedit ,press enter)

4. go to HKey local machine/Software/Microsoft/Windows/CurrentVersion/Run Look for the key on the right that says C:\winnt\system\gone.scr

Reboot

Once it comes back up look at the reg key again. If it is not there then the virus is gone.

The 2 big locations that viruses add keys to are that location and the run once location.

This insures that loading at boot up.

What else is eating up outlook espress ?

In reply to Norton sucks.. Follow these directions

I thought it was Goner, buthaving followed all your advice thoroughly, I can’t locate it. Every few days, my outlook express 6 is having all the emails and folders wiped back to its orginal start mode; NAV email protection gets disbled and needs tobe reinstalled; and now it no longer syncs with my hotmail. I’m boggledl; what other culprits have been out there, this started about 2 weeks ago.

I usually get my email synced via hotmail and once I have deleted all the schlock from bulkmail and spam I drag stuff to my inbox. How vulnerable is that really? Thanks

Re: HELP!! Can’t get gone.scr off

In reply to HELP!! Can’t get gone.scr off Exch Servr

Hi,

Go to the the task bar, there should be gone running as a process. End the process and then go to the folder options to show all files and uncheck the hide file extensions and hide protected OS boxes.

Go to system32 folder and delete gone.scr file. Go to the registry HKEY LOCAL MACHINE, software, Microsoft, windows, current version, run and delete the key associated with gone.

Reboot and you should be all set.

Jide

Manualy fix it

In reply to HELP!! Can’t get gone.scr off Exch Servr

1. unhide your files and extensions
2. do a search for gone.scr or *.scr and delete that file.
3. go to run and type regedit, go to HKey local machine/software/microsoft/windows/currentVersion/run and look for the key
4. Reboot your machine.
Hope this works it’s a copy from another fix.
If not you are probably looking at a clean install and upgrading your virus checkers.
GOOD LUCK my friend fstradley@Yahoo.com

Still Haven’t Seen It Here

In reply to Have you been hit by the “Goner” worm?

We haven’t seen it here yet at all. We had our mail gateway down overnight on the 4th/5th until we were sure we had the NAV updates from Symantec and have been checking all day but nothing so far. We don’t run Outlook internally for mail so it wouldn’t spread if it did get in but I’m surprised we haven’t picked up something by now.

Nope

In reply to Have you been hit by the “Goner” worm?

I feel somewhat left out by all this. Code Red, Yucky Outlook, Goner… I feel so lonely that I am thinking about switching one of our servers from Linux to MS just so I can get in on the fray.

Yes

In reply to Have you been hit by the “Goner” worm?

Our email servers have been down since Tuesday afternoon. The workstations were easy to clean up but our Exchange servers would not restart the Information Store. We will probably be down until sometime tomorrow.

Only about 15% of our users have Office XP (and therefore the attachment was blocked), so the other 85% were vulnerable with Outlook 98. The problem lies with our end users, who refuses to be subjective when opening email. They click before they can think. This will definitely result in a strong push to load Office XP on the remaining workstations out there.

No

In reply to Have you been hit by the “Goner” worm?

I’ve been doing the digital thing since ’77.I have yet to even SEE a virun on our nodes.I kinda would like to get a copy and recode it to something useful.

YES

In reply to Have you been hit by the “Goner” worm?

yes we were hit but no demage was done due to teh timely action and detection. Thanks to Norton for the early fix which maily saved. Main reason for the safty was not using the Outlook express.

YES

In reply to Have you been hit by the “Goner” worm?

yes we were hit but no demage was done due to the timely action and detection. Thanks to Norton for the early fix which maily saved. Main reason for the safty was not using the Outlook express.

Civil Suite(class act.)against creators!

In reply to Have you been hit by the “Goner” worm?

We lost a day of productivity, 400 computer users, and IT spent lots overtime fighting it.
Why cant all the businesses affected, file a class action suite against those that create these viruses, that cost us thousands & thousands of dollars. We need to set an example of these people!!!!

Steve
Calvert County Maryland

W32.Nimda.enc (Goner)

In reply to Civil Suite(class act.)against creators!

running 2000 Pro with Norton software, this entered system and was trying to exit some mail a got caught, used Symantec Goneer software patch and executed it. Seems to be a goner now for sure

Good Defence System

In reply to Civil Suite(class act.)against creators!

I use ETrust EZAntivirus suite of protection from Computer Associates. It consiste of an antivurus program, a firewall program and another DeskShield program. The combination of all three offers maximum protection. I have not been hit with Goner.

Cheers,
Ross K

class action??

In reply to Civil Suite(class act.)against creators!

you’d have to include Microsoft in the lawsuit and they seem to be armor plated when it comes to being sued.b

Another Microsoft hit!

In reply to Have you been hit by the “Goner” worm?

Fortunately, I use Netscape for E-mail. Recognized the possibility of a virus, which came from a theological seminary. When I attempted to access the seminary web site, it was down! Clue, clue, clue, and I still tried to open it. But, with netscape E-mail, it did nothing.

Bill

Newbie Admin

In reply to Another Microsoft hit!

Hi,
I am a Newbie Admin. I had the goner Virus and had to shut down for four hours and then decided instead of losing productivity would just shut down the exchange link to the outside world. We got hit at 7AM Tuesday and InnoculateIT didnt release the update until much later, then to realize the administrator had put off installing the Innoculate program on ALL computers and the ones that had it were getting thier updates via FTP which we don’t allow on our network. What a learning experience and thank you for the list of blocked extension now I won’t have to research for them. I am was going to do extension blocking. And I have had all my users setup so their outlook is on Autopreview instead of having to double click to see the message they can preview it and delete it if it is suspicous. And I have had them turn on the “Would you like to read your new message feature.” So they don’t open a message before they know what it is or who it is from. I also do a helpdesk Website which teaches them how to use programs what to do and not do, policies and procedures.

Have a nice day..
Timothy Rhoads
mdby22@hotmail.com

“Goner” Virus

In reply to Have you been hit by the “Goner” worm?

Two of our computers were hit last week. Even though I did not actually open the file but had Outlook set to preview mode, it did leave a piece of Goner on the one system. I ran Norton Antivirus and it appears to have cleaned it up.

On another computer, I set the preview mode off and it did not end up having any traces left on it by the virus.

Even though it did not appear that any of the other computers were hit, just to be on the safe side, I updated and ran Norton on all of our systems.

Again, on the one system that it said it infected, the message was not clicked open and the attachment was not executed but it still left traces. So for anyone out there who received the HI message, I recommend updating and running yourvirus scan to make sure it didn’t really affect your system.

B.J.

Yes – only as safe as your dumbest user

In reply to Have you been hit by the “Goner” worm?

You can do all you want, and spend all you want, but if any individual still opens unexpected e-mails and/or attached files, none of the rest matters.

…exactly right!

In reply to Yes – only as safe as your dumbest user

One user initially was infected and ended up sending out 300 copies, mostly within our network. NO ONE here opened this message and we were able to clean out all traces from our systems with no harm done.

GONER FIRST OF 2 PRONG ATTACK?!?!?!

In reply to Have you been hit by the “Goner” worm?

This attack is meant to loosen up security by blowing away firewalls and other security devices. I have a sneaking suspicion that another attack is eminate. Make sure you get things patched up ASAP. This two prong attack is going to be the next big thing in Viral attack plans, Code Red used the same principle. The first attack pops a bunch of holes in your security, then next wave exploits all of them, hoping you missed one. The timing of this makes it seem like a possible Dos Attack meantto eat up valuable Holiday shopping bandwidth. So get your Online shopping done now, before the pipes get clogged.

;-0

PS your not paranoid if their really after you.

How do you figure? Have not heard..

In reply to GONER FIRST OF 2 PRONG ATTACK?!?!?!

From my understanding of this one, once run (after the replication) it then nicely adds itself as a backdoor trojan used for DoS on IRC. Besides deleting key common AV files.

However, the IRC channels were not pre determined. There are several mitigating factors. First of which, the user must have IRC software installed. And second they have to initiate a mIRC session. Once the session is initiated then the trojan will begin it’s attack on that channel.

I was not under the impression that this had the ability to exploit firewalls or IIS servers. Even if the infected user had drives mapped to those systems. Those systems generally do not have e-mail clients and or mIRC client software on them.

I may be wrong on the above points. I would be curious to see any other findings related to this trojan.

If you have new information regarding this please let us know.

Gone, Gone, Goner

In reply to Have you been hit by the “Goner” worm?

SSA intranet was nailed by the Goner virus. And it DID cause DoS. LANs and WANs across the country were having to take their Exchange Servers down for the afternoon until it could run its course. In addition, we put a blocker on the Exchange Server to intercept the virus at the ES, before it was passed to the clients. The only problem was that the clients still saw the little envelope on their Outlook, showing that they had mail, even though, we had intercepted the virus. But, we seem to be clean now.

Hit Hard by Goner

In reply to Gone, Gone, Goner

got the pentagon file, opened it, and in seconds I saw it send it self out to my database of names. I ususally keep my pc on at home. this night I shut it down, then rebotted in the morning and it re-sent to everyone in outlook again.

Yes and ouch

In reply to Have you been hit by the “Goner” worm?

It was all my own fault, I admit it. A business contact I haven’t spoken with in more than a year sent me repeated messages that I suspected were dangerous.

After deleting, I don’t know, a dozen of them I should have called her but didn’t. Then one evening without thinking I just went down my list of new email and opened it.

Damn it! Stupidity really can hurt. It disabled my Nortons, my firewall and began taxing my machine. Then it jumped over my network.

On the upside, we don’t useOutlook – we opt for outlook Express and a series of third party scheduling tools.

As I reinstalled and reinstalled Norton, I couldn’t help but think of the analogy of one germ in a field of cloned livestock taking down the whole population. And although I’m glad I didn’t help spread this thing with Outlook I couldn’t help but think how little this would have impacted me using RedHat or Mandrake.

I’ve since downloaded the ISO images for new versions of both OS but I still haven’t got my system clean, i.e. my cr-rw isn’t running properly. But soon I intend to at least investigate the practical desktop application of the open source OS.

dustin_writes

Goner Worm

In reply to Have you been hit by the “Goner” worm?

I’ve received at least 10 of these due to people being infected and not cleaning their machine. All have been detected by my Linux proxy and its AV software. For curiosity, I allowed the worm on a clean install of W98SE on a spare drive. Norton AV did not detect it until I updated to the latest (at the time) definitions (4 Dec. 2001). An older version of Fix-It utilities (mid november definitions) did find the worm but could not fix the file and simply deleted it.

The same test on a WinNT 4.0 server/SP6 clean install, yielded an immediate error from the OS, compaining about an incorrectly running program (Pentagon) and illegal access to a dll.

Again, Linux using f-prot and a full firewall found the attachment and confined it to a protected area; the tripwire monitor then sent me email on my Win32 machine.

I Was A Goner Too

In reply to Have you been hit by the “Goner” worm?

I received the Goner message from my father-in-law, whom I like, so I naturally opened the message. The text in the message sounded something like he would write. I opened the message, read it, then left the house to run errands. Next thing I know, I’ve got messages from friends who said I’ve got a virus.

It affected my OS, in addition to my virus protection software, so I reformatted my hard drive and reloaded my OS…and all my applications. It’s been 4 days and I’m still dealing with the ramifications.

P.S. This virus is really bad for those of us who are not exceptionally PC savy. Bummer.

No

In reply to Have you been hit by the “Goner” worm?

Warned through a article received from techrepublic, we was able to update Internet security from Symantec before this worm was hiting other systems in Switzerland.

Thanks for the quick warning

R. Troxler

Yes.Can U suggest a remedy?

In reply to Have you been hit by the “Goner” worm?

Can anyone suggest a remedy

Switch to Mac

In reply to Yes.Can U suggest a remedy?

Microsoft IS a virus.

OMG YES! THATS THE ANSWER!

In reply to Switch to Mac

I’ve got it! …

Buy a PC from a company that has a track record of keeping it’s technology completely proprietary, suing the ass off anyone who tries to compete, keeping retail prices for components at 2-3 times what they cost and avoiding financial ruin only because an “inferior” company needs it to continue to exist as part of a legal defense in Federal anti-trust actions.

Make sure you get “special versions” of the office software that your customers and business partners use, the software that is owned by that same competitor. But make sure that these “special versions” are developed by a different software team and released with different features on a different schedule than the “original” versions that everyone else uses.
The best part of a purchase like this is that, because your PC will have an inconsequential market share, you can blame every problem everyone else has on the fact that they did not have the same foresight as you in selecting their PC company.

Simple Inexpensive Solution!

In reply to Have you been hit by the “Goner” worm?

Simple Inexpensive Solution!
Besides having updated Antivirus software running on both the Client and Server. I have been using Antigen for Exchange that allows me to Filter attachments before they even get into the system. Since I Filter for: .vbs, .scr, .exe, .bat, .js, .pif, and .wsh files I have not had any problems with users opening something they should not have, because they don’t receive them! Also, on my home network I have Norton 2002, and ZoneAlarm Pro (not the free one!$49) that are both configured to filter the same types of extensions as listed above. These 3 programs I have mentioned are inexpensive (compared to the cost of ill effects of not having them!) and have protected my corporate and home networks for over a year now without ANY viruses, trojans, hacks, and so forth.

FYI 😉

Funny?

In reply to Have you been hit by the “Goner” worm?

This for the Ass Hole who designed, and transmitted the virus ‘ goner’.
Do you think your hot stuff, as your reading this?

I’ll tell you point blank that designing virus’ is childs play, and you are a CHILD.

IF you and your kind ever grow up,maybe we can start using the web for what it was designed for, instead of wasting time installing more and more software that protects us (The Grown-Ups) against Children (The Assholes) who start these virus’.

No, but here’s a question

In reply to Have you been hit by the “Goner” worm?

According to your description, you have to open an attachment to get “Gonered”. But I understand that some other worms will strike if you simply read the message. So here’s my problem:

On my Outlook inbox display there are now quite a few lines with garbage titles. Since one of the recent killer worms had garbage titles, I don’t even want to read these messages. But in Outlook, to delete the message I have to highlight the title, which displays the message text.

How can I get rid of thesesuspect messages? I’d appreciate your expert information.

Thanks,

— majorjo
Major Johnson
major.johnson@pobox.com

Zone Alarm Update Snag

In reply to Have you been hit by the “Goner” worm?

Zone alarm alerted me as to my address book being opened on a download one day. Now I’ve blocked my address book thru Zone Alarm and the problems stopped. Don’t know if I had the Worm, but randum dial outs also stopped.

My Experience

In reply to Have you been hit by the “Goner” worm?

The only reason I opened this one was it came on a trusted listserv that I use. Big Mistake! I hear it was traced to two teenagers in Israel. They are now pleading for leniency because “they didn’t hurt anyone.” I think that these and all malicious acts such as this should be severely punished to dissuade others from trying this sort of thing.

[Author]

Replies