Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

The Gaobot Worm

The most significant new worm to surface has been the Gaobot worm, which gains access to Windows systems through shares. It enters a blank password for the Administrator account or runs a password-cracking attack against accounts such as Administrator, Guest, owner, and others. Once it connects to a share, it installs Trojan horse programs (woinggg.exe and sysldr32.exe or sysmgr.exe) in the system32 directory of the victim system. It then creates an outbound connection on TCP port 9900, and scans other systems on TCP port 445.

Gaobot is a very serious threat. Your best recourse is to ensure that you do not share your Windows system's hard drive if you do not need to, that all accounts on your system have strong (difficult-to-guess) passwords (see Choosing a Password on the CPP Password Guidelines web page), and that your system's antivirus software is up-to-date. If your system becomes infected, remove the system from the network and have your system administrator eradicate the virus prior to placing the system back on the network; failure to do so can result in further infections. If you are not sure exactly what to do, dial 486-HELP or email help@lbl.gov. This worm seeks unprotected shares, so turn off any unnecessary shares to your system. If you have to use shares, be sure to use password protection, and choose a strong password to avoid being a future target.

Top

Gibe Worm

The Gibe (ww32.Gibe@mm) worm is being sent in hoax messages that claim to be a Microsoft bulletin concerning vulnerabilities in Microsoft Outlook and Internet Explorer. The subject line of infected messages generally reads "Internet Security Update;" the content instructs users to execute an attached file named q216309.exe (or something similar). The attachment is the Gibe code which, if executed, infects a system and then uses Outlook and a custom SMTP engine to spread itself to other systems. The Gibe worm also installs a Trojan horse program to allow back door access to any infected system. Keeping your system's anti-virus software up-to-date and refraining from opening attachments for anyone other than people you know well are the best two preventative measures. If your system becomes infected with Gibe, obtain the Gibe removal tool and instructions by visiting the Symantec Web site.

Top

The Gokar Worm

Discovered in mid-December, the new Gokar Worm is spreading around the Internet. Outlook and Outlook Express users, users of mIRC (an Internet Relay Chat program), and anyone connected to an IIS Web server are at risk. The worm spreads via email when a user double clicks on an attachment (which will have an extension such as .exe, .com, .bat, .pif, or .scr) to a message sent by the worm.

Gokar installs a file named "Karen.exe" and then sends itself to every address in the Outlook or Outlook Express address book. mIRC users' systems can become infected if the worm has infected a system in the same discussion or channel. Downloading the worm from IIS web sites is still another way this worm infects systems.

If Gokar infects an IIS Web server, it modifies the home page to display the message "We are Forever" and offers a hyperlink to download a file (Web.exe) infected with the worm. The worm becomes active every time the infected system boots. If your system contains a file named "Karen.exe" Gokar has in all likelihood infected your system. Keeping your anti-virus software up to date and refraining from opening suspicious attachments or downloading files such as Web.exe from IIS web sites are good preventative measures. For more information see Computer World article.

Top

The Goner Virus

The Goner Virus (also called "W32.Goner" and "Pentagone") is the latest malicious self-reproducing program to spread throughout the Internet. A Visual Basic Script (VBS) implementation, this virus arrives as an attachment that appears to be a screensaver (Goner.scr). Targeting only Windows systems running Outlook clients, Goner spreads itself via e-mail and ICQ instant messaging. The subject line of a message that contains this virus is "Hi." If a user opens the attachment, Goner stops antivirus and security applications and then deletes all files in the folders that hold these applications. As if this is not enough, it also installs a backdoor program that can be used to initiate denial-of-service attacks against chat servers.

Keeping your Windows system's antivirus software updated and refraining from opening strange attachments or attachments sent by people you do not know are two of the best ways to prevent infections by Goner. For more information visit: http://www.cert.org/incident_notes/IN-2001-15.html.

Top