W32.Darkgoose.Trojan

Discussion in 'malware problems & news' started by Randy_Bell, Nov 30, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - W32.Darkgoose.Trojan

    W32.Darkgoose.Trojan is a Visual Basic application that creates and executes a batch file that will delete all files from C:\, C:\Windows, C:\Windows\System and C:\Windows\System32.

    Type: Trojan Horse
    Infection Length: 20,480 bytes, 145 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, Unix, Linux

    technical details

    When it is executed, W32.Darkgoose.Trojan creates the file C:\Abracadabra.bat

    This batch file contains instructions to delete all files from these folders:

    • C:\
    • C:\Windows
    • C:\Windows\System
    • C:\Windows\System32

    The paths are hardcoded within the Trojan.

    The Trojan then displays a series of dialog boxes, which in succession, display the following lines of text :

    Do Like Magico_O Yes you say. Well then here gose!
    I Can Make things Magically Disapear!!!
    5
    4
    3
    2
    1
    Abracadabra, you computer files are magically dissapearing!!! Good bye!

    After displaying the last line, W32.Darkgoose.Trojan executes the batch file in a hidden window. It waits for it to finish and then deletes it.

    removal instructions

    NOTES:

    [*]These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
    [*]If W32.Darkgoose.Trojan has already run, it is likely that you will not be able to start Windows. In this situation, you will first have to reinstall the operating system and your Symantec antivirus software, or restore them from a clean backup copy.


    • 1. Update the virus definitions.
      2. Run a full system scan.
      3. Delete all files that are detected as W32.Darkgoose.Trojan.
     
Thread Status:
Not open for further replies.