Worm:W32/Goner

The worm spreads itself using Outlook email messages as GONE.SCR attachment. It also spreads through ICQ Instant Messanger if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC chat channels. Goner also tries to delete security programs, such as firewalls and anti-virus programs from the system. Although this sounds serious, it doesn't actually help the spreading of the virus much: the virus can only delete security programs if it is able to execute itself; thus the security program was not able to stop Goner anyway, and deleting such programs doesn't help the virus. This technique does make the system more vulnerable to OTHER viruses and threats, though. The worm is a PE EXE file about 39 kilobytes long, it is packed with UPX file compressor. The worm's unpacked file is about 145 kilobytes long. When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a messagebox with a fake error message:

The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager. To spread itself the worm connects to Outlook Address Book, reads email addresses from it and sends itself to all these addresses. The infected message looks like that:

Subject:Hi Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment:Gone.scr

The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. This way all ICQ contacts of an infected user will get the worm. The worm looks for and terminates the following processes:

• APLICA32.EXE
• ZONEALARM.EXE
• ESAFE.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET32.EXE
• CFINET.EXE
• IAMSERV.EXE
• IAMAPP.EXE
• PCFWallIcon.EXE
• FRW.EXE
• VSHWIN32.EXE
• VSECOMR.EXE
• WEBSCANX.EXE
• AVCONSOL.EXE
• VSSTAT.EXE
• NAVAPW32.EXE
• NAVW32.EXE
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPM.EXE
• AVP.EXE
• LOCKDOWN2000.EXE
• ICLOAD95.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICLOADNT.EXE
• ICSUPPNT.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• SAFEWEB.EXE

The worm deletes all files in the directory and all subdirectories where the file (which task was killed) is located. If deletion fails, the worm creates WININIT.INI file that will delete these files on next Windows startup. The worm also tries to delete C:\SAFEWEB\ folder.

Note

F-Secure Anti-Virus detects Goner worm with updates from December 4th, 2001 / 16:05:50 (GMT+2)

NOTE: Although many other anti-virus companies rank Goner to their highest risk level, F-Secure is still maintaining this virus at F-Secure Radar Level 2. The data we have on this virus currently does not justify ranking it higher; we've received only limited out of samples of the virus from the field, the virus is not destructive in nature and it is very obvious for the user to spot and avoid.