New Virus Today

[Noevo]

W32/Goner@MM

High Risk

We just got nailed by it at work

Just giving everyone a heads up.

Comes in an e-mail with the subject "hi"

http://vil.mcafee.com/dispVirus.asp?virus_k=99272&

[gmcd33]

We just go hit too.

This is what is says:

The Subject Line says FW: Hi

And the body of the email says:

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

The attachment is gone.scr


Aparently there is no fix yet.

[Noevo]

This one looks ugly. It appears to delete random files so picking up the pieces of this one will be fun. Who knows if windows will run right or not.

Bad part is we have .scr files blocked on our exchange server and it somehow got past it. Once in, it flooded the information store and basically rendered Norton useless.

I hate users!!!!

[Norm]

There are instructions for manually removing the virus on the link Noevo posted. Following the instructions will remove it.

Any files infected or deleted by the virus will have to be replaced manually through backups, or reinstalling the appropriate apps.

[CiscoKid]

Originally posted by Noevo
This one looks ugly. It appears to delete random files so picking up the pieces of this one will be fun. Who knows if windows will run right or not.

Bad part is we have .scr files blocked on our exchange server and it somehow got past it. Once in, it flooded the information store and basically rendered Norton useless.

I hate users!!!!

OUCH!!

Good luck on fixing that...

[Crump]

The girl sitting next to me got it as I was reading this post!

[Noevo]

more info;

http://www.mcafee.com/anti-virus/viruse ... p?cid=2636

notice: there is an additional problem with Windows ME users. It puts itself in the _restore directory and you will have to disable system restore.

[BlackSword]

Originally posted by gmcd33
The Subject Line says FW: Hi

And the body of the email says:

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

The attachment is gone.scr

ya that is what it says,,, just got it here.

[Noevo]

Originally posted by CiscoCert


OUCH!!

Good luck on fixing that...

scan of our information store, all 30GB should only take til' about 7:00 tonight or so

[gmcd33]

Originally posted by Norm
There are instructions for manually removing the virus on the link Noevo posted. Following the instructions will remove it.

Any files infected or deleted by the virus will have to be replaced manually through backups, or reinstalling the appropriate apps.

Yeah I just saw that thanks. It also has the SDAT too. It looks like if you run the SDAT it will do it for you. So far only a few people are infected.

[Norm]

I noticed that four or five people posting in this thread are at work, and in some cases involved with the administering of the networks they are on.
I was wondering, do you guys, or your company techs make backups everyday?
Do you/they keep backups somewhere away from the system?

Just curious as to how/if companies are securing there investments. I know in the past very few smaller companies made backups, and had very little in the way of security.

[gmcd33]

I run ARC Serve on all my servers which is a pretty full featured back up suit.

All of my servers get full backups daily. Although a differential or incremental would work as well.

My plan is to get all the servers operating system partitions on RAID 1 with an online spare. After the mirror is generated we remove a drive which generates the online spare. Then the spare is removed and put in a draw.

This way, if the OS gets corrupt, I just pop in the drive and the mirror regenerates with the working copy. All my data is on a RAID 5 array and is backed up daily.

All in all, things are pretty protected.

We run McAfee net shield on the servers, and v-shield on the clients which works well too.

[Noevo]

Originally posted by Norm
I noticed that four or five people posting in this thread are at work, and in some cases involved with the administering of the networks they are on.
I was wondering, do you guys, or your company techs make backups everyday?
Do you/they keep backups somewhere away from the system?

Just curious as to how/if companies are securing there investments. I know in the past very few smaller companies made backups, and had very little in the way of security.

nightly backups here, offsite storage with Corigan


were running Norton Corporate here.

[Norm]

Good to hear gmcd33/Noevo, companies really need to take things seriously these days. They can't afford to lose critical data.
A home user can get by with losing files, but a company can't.
I treat my own PC like every file is critical, and make a full backup of 6 partitions daily, scheduled. Then I remove the drive with the backups.

One suggestion, take the backup drive to another location in case of fire, or some unexpected disaster. Or make a copy of it to remove from the building each night.

[gmcd33]

Originally posted by Noevo


nightly backups here, offsite storage with Corigan


were running Norton Corporate here.

How do you like Norton Corporate? I just ordered it for a new client.

We store our tapes in fire proof safes at all the sites and then rotate a copy to an offsite location. Better safe than sorry!

[Norm]

I've been called to a couple of companies to remove viruses and can do that fairly easily, but can't replace infected files when there is no backup.
These people think techs are Gods and can fix everything, even when there are no backups.

I can fix the OS, and reinstall programs for them, but replacing a file that's been overwritten by a virus is still beyond my scope

[Norm]

BTW - Are you guys working for large (full of dough) companies, or smaller ones?
I find the larger companies have good security, and the smaller ones have little or no security. Some rely on freeware apps to secure against viruses.

[Noevo]

Originally posted by gmcd33


How do you like Norton Corporate? I just ordered it for a new client.

We like it. We switched from Mcafee earlier this year. It's a lot better to work with from the server side then mcafee. Plus the updates from the server to the clients actually work.

[Noevo]

Originally posted by Norm
BTW - Are you guys working for large (full of dough) companies, or smaller ones?
I find the larger companies have good security, and the smaller ones have little or no security. Some rely on freeware apps to secure against viruses.

Medium to large here. about 400 total employees. 250 or so in this building alone. Huge difference from 3 years or so ago when we had almost no security it seems.

[jeep725]

Originally posted by Noevo

I hate users!!!!

SOME of us are intelligent enough NOT to open dangerous attachments...

Another really good website for virus information is

Symantec . They also list hoaxes.

[CiscoKid]

do anyone work for a place where they would pay for me to relocate with a good income...?

[Norm]

Originally posted by CiscoCert
do anyone work for a place where they would pay for me to relocate with a good income...?

Just as soon as I find my full time job, I'll think about you and your needs

Good luck

I went out on my own because I couldn't find work.
Maybe a few certifications would have helped

[Noevo]

Originally posted by jeep725



SOME of us are intelligent enough NOT to open dangerous attachments...

thats just an urban legend...

[Annalysa]

Its here too..

[Norm]

Originally posted by Noevo



thats just an urban legend...

LOL

I hope that's not true. There's got to be some people with intelligence.
Do the workstations you deal with have "show all files" enabled and "Do not show extentions of known file types" disabled so that the users have a fighting chance to recognize the file types that have potential to carry a virus into the system?

Has there been a list of potentially dangerous file extentions given out to employees?
I'm just curious as to the extent companies try to minimize the problem.

[gmcd33]

Originally posted by Norm
BTW - Are you guys working for large (full of dough) companies, or smaller ones?
I find the larger companies have good security, and the smaller ones have little or no security. Some rely on freeware apps to secure against viruses.

Full of dough here. We have around 11,000 employees ranging from the parent company down to the subsideries.

My department is a regional systems department that supports New York, New Jersey, Pennsylvania, and Deleware.

Last I checked with McAfee we pay about $86,000 a year on anti-virus client licenses.

[CompGeek83]

Originally posted by Norm
I'm just curious as to the extent companies try to minimize the problem.

A month or two ago when code red/nimda/whatever else was running around my college set their groupwise server (student and faculty email) to auto-delete ALL .zip, .exe, and other files. Best thing they could have done. They have NAV corporate on a few of the labs, and nothing on the rest, thats a big problem, they need to keep the AV stuff up to date, especially with everyone bringing disks from home and stuff

[nightowl]

or you could do what we do here at my work: block all email attachments

[Noevo]

Originally posted by Norm
LOL

I hope that's not true. There's got to be some people with intelligence.
Do the workstations you deal with have "show all files" enabled and "Do not show extentions of known file types" disabled so that the users have a fighting chance to recognize the file types that have potential to carry a virus into the system?

Has there been a list of potentially dangerous file extentions given out to employees?
I'm just curious as to the extent companies try to minimize the problem.

okay, there are a few

most workstations are set up to show all files, can't guarentee all. We have held several "safe computing" classes and heavily stress do not open attatchements if you don't know what they are. Yet, we had 5 people do so today. We run into the problem of not really much else we can do. At some point the users have to take some resonsiblilty for this stuff

[CompGeek83]

Originally posted by nightowl
or you could do what we do here at my work: block all email attachments

heh, that wouldn't work too well for the distance learning people who email their .doc word documents to their teachers to be graded

there was a long line of blocked files, not just .zip and .exe,

.doc and .wpd and .txt plus some graphic formats and .htm were the only ones that werent blocked

personally i would have done it backwards and said only these file types are allowed so that all those macro and other file format viruses are deleted too

[Norm]

Originally posted by Noevo



okay, there are a few

most workstations are set up to show all files, can't guarentee all. We have held several "safe computing" classes and heavily stress do not open attatchements if you don't know what they are. Yet, we had 5 people do so today. We run into the problem of not really much else we can do. At some point the users have to take some resonsiblilty for this stuff

I hear ya, you can't rely on all staff members to retain knowlegde they receive from classes paid for by the company. A lot of people see these classes as a few hours off work, and don't put an effort into learning.

gmcd33, your company spends a lot of dough on security. WOW !!
Good for them, they'll survive in the long run.
On top of all the security, they have you on staff as well

Thanks for all the responses everyone.

[Jigga76]

http://enterprisesecurity.symantec.com/ ... 8602&EID=0

Get that for your Exchange Server. Symantec Security Response has already issued new virus definitions to protect you from the threat.

Also, get this for your company.

http://enterprisesecurity.symantec.com/ ... 8602&EID=0

Can update defs just from one computer to offer network-wide protection. It includes a lot of the other enterprise software including the virus protection for MS Exchange servers and Exchange accounts.

[minir]

Hi Noevo

Thanks for the Heads Up

I will pass it on


regards

minir

[Jim]

Stupid question, but am I safe if I don't open the attachment (never do, but hoping its not one of those "automatic" ones)?

[Noevo]

Originally posted by BIGJIMSLATE
Stupid question, but am I safe if I don't open the attachment (never do, but hoping its not one of those "automatic" ones)?

Yes, your safe if you don't open the attatchment with this one. I just got home from work, will put some of what we found out up here in a bit.

[Noevo]

so heres some weird stuff about the goner virus;

It sent out 1,000's of e-mails a minute. Yet it leaves no trace in the persons sent box. nothing.

Our Norton was blocking some and letting others through. It was if it was being so overloaded by them that it just couldn't catch them all, thats a first for us.

Even after manually cleaning an infected machine, restore directory and all a Norton scan with updated defs for this specifically it found 12 files in the _restore directory. the files wouldn't even show with attrib from dos in the directory, with system restore disabled. had to deltree the entire _restore directory and then everything appeared clean. Still have to delete any OST's though since we had some with 100's of e-mails in the outbox just waiting to send as soon as it saw a net connection.

This was the first time we really got hit. Anna, I love you, those we saw but not like this one. ugly.


Files that were in the _restore directory also had a .scr extension but had many different names.

We're also having a problem with the Norton Clients on the machines that were infected. Once infected there is no option to "scan a computer" from within the client. You must right click on a drive and choose scan. So a re-instal of norton is in order for any machines infected i think.

think thats about it. hope others had better luck with it than we did.

[blebs]

I'm late, but then so is the email that I just now got from McAfee!



"McAfee.com Dispatch" <dispatch@mcafee.com>
To : "blebs99

Subject : EMERGENCY VIRUS ALERT - W32/Goner@MM

Date : Tue, 4 Dec 2001 15:59:25 -0800


McAfee.com has seen an OUTBREAK of computers infected with W32/Goner@MM, also known as Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus that spreads via Microsoft Outlook email and ICQ instant messaging programs. This mass-mailing worm will arrive from someone you know with the following email message:

Subject: Hi

Body: How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

Attachment: GONE.SCR


Goner has a DESTRUCTIVE PAYLOAD. When the attachment is opened, it will look for a variety of anti-virus, firewall and other security programs and attempt to delete them, along with ALL FILES in the same directory. This worm will also place a trojan, REMOTE32.INI, on the system, which contains instructions to attempt Denial-of-Service attacks on other IRC users.