Symantec Security Response - W32.Darkgoose.Trojan W32.Darkgoose.Trojan is a Visual Basic application that creates and executes a batch file that will delete all files from C:\, C:\Windows, C:\Windows\System and C:\Windows\System32. Type: Trojan Horse Infection Length: 20,480 bytes, 145 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Windows 3.x, Macintosh, OS/2, Unix, Linux technical details When it is executed, W32.Darkgoose.Trojan creates the file C:\Abracadabra.bat This batch file contains instructions to delete all files from these folders: C:\ C:\Windows C:\Windows\System C:\Windows\System32 The paths are hardcoded within the Trojan. The Trojan then displays a series of dialog boxes, which in succession, display the following lines of text : Do Like Magic Yes you say. Well then here gose! I Can Make things Magically Disapear!!! 5 4 3 2 1 Abracadabra, you computer files are magically dissapearing!!! Good bye! After displaying the last line, W32.Darkgoose.Trojan executes the batch file in a hidden window. It waits for it to finish and then deletes it. removal instructions NOTES: [*]These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. [*]If W32.Darkgoose.Trojan has already run, it is likely that you will not be able to start Windows. In this situation, you will first have to reinstall the operating system and your Symantec antivirus software, or restore them from a clean backup copy. 1. Update the virus definitions. 2. Run a full system scan. 3. Delete all files that are detected as W32.Darkgoose.Trojan.