12/04/2001: Goner Virus/Worm Warning

Goner is a mass-mailer written in Visual Basic. The worm spreads itself using Outlook and ICQ if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC channels.

When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a message box with a fake error message:

        Error While Analyze DirectX!

The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager.

To spread itself the worm connects to Outlook Address Book, reads e-mail addresses from it and sends itself to all these addresses. The infected message looks like the following:

        Subject: Hi

        Body:

                How are you ?
                When I saw this screen saver, 
                I immediately thought about you
                I am in a harry, I promise you will love it!

        Attachment: Gone.scr

The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person.

This worm looks for common anti-virus software and firewall programs, and deletes them if found.

Mcafee VirusScan will update their virus definition files (DAT files) to version 4174 available 12/05/01 which will neutralize this virus.

For more information on this virus, and for instructions on manually removing this virus, please visit the following URL:

http://www.mcafee.com/anti-virus/viruses/goner/default.asp?cid=2636

If you have any questions, please call the BOL Help Desk at (310) 825-7452, Option 1.