VIRUS NAME: W32/Goround.worm
Internet
Worm Characteristics
This is a network
aware worm that can put an infected system into a reboot loop. When the
worm is run, typically the filename is OLDNEWS.EXE, it checks for the
presence of the file C:\BOOTMGR.SYS. If this file is not present (which
is typically the case), the worm drops a 1 bytes file, C:\BOOTMGR.SYS,
and attempts to copy itself to other systems using the following network
shares:
- c$\windows\startup\oldnews.exe
(note: this is an invalid startup folder)
- c$\WINNT\Profiles\All
Users\Start Menu\Programs\Startup\oldnews.exe
- c$\Documents and
Settings\All Users\Start Menu\Programs\Startup\oldnews.exe
The 2nd time the worm
is run, C:\BOOTMGR.SYS is present and the worm immediately shuts down
the machine. So, once the worm has successfully copied itself to an active
Startup folder, the machine will shutdown as soon as Windows has loaded.
The worm is also designed to mass email itself to all users in the Microsoft
Outlook Address book. However, due to a bug in the program, this routine
does not function properly and no messages are sent. The intended message
is as follows:
Subject: Hello
Body: Hi
I just had to send
you this.
Our email server won't let me email programs so I've renamed it. Save
it to disk, changing the .app at the end to .exe, then you can run it.
I don't normally go round forwarding this kind of thing, but this is really,
really funny!
Take care.
Attachment:
Angel.app
Symptoms
Presence of OLDNEWS.EXE (151,040 bytes) and C:\BOOTMGR.SYS (1 byte)
Method Of Infection
This worm spreads itself via open network shares.
|
