Threat Description

Worm:​W32/Goner

Details

Category:Malware
Type:Worm
Platform:W32

Summary



A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Goner is a mass-mailer written in Visual Basic. It was found on December 4th, 2001. The worm spreads itself using Outlook e-mail messages as GONE.SCR attachment. It also spreads through ICQ Instant Messanger if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC chat channels. Goner also tries to delete security programs, such as firewalls and anti-virus programs from the system. Although this sounds serious, it doesn't actually help the spreading of the virus much: the virus can only delete security programs if it is able to execute itself; thus the security program was not able to stop Goner anyway, and deleting such programs doesn't help the virus. This technique does make the system more vulnerable to OTHER viruses and threats, though. The worm is a PE EXE file about 39 kilobytes long, it is packed with UPX file compressor. The worm's unpacked file is about 145 kilobytes long. When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a messagebox with a fake error message:

The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager. To spread itself the worm connects to Outlook Address Book, reads e-mail addresses from it and sends itself to all these addresses. The infected message looks like that:

Subject:Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment:Gone.scr

The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. This way all ICQ contacts of an infected user will get the worm. The worm looks for and terminates the following processes:

  • APLICA32.EXE
  • ZONEALARM.EXE
  • ESAFE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET32.EXE
  • CFINET.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • PCFWallIcon.EXE
  • FRW.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • AVCONSOL.EXE
  • VSSTAT.EXE
  • NAVAPW32.EXE
  • NAVW32.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • AVP.EXE
  • LOCKDOWN2000.EXE
  • ICLOAD95.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICLOADNT.EXE
  • ICSUPPNT.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • SAFEWEB.EXE

The worm deletes all files in the directory and all subdirectories where the file (which task was killed) is located. If deletion fails, the worm creates WININIT.INI file that will delete these files on next Windows startup. The worm also tries to delete C:\SAFEWEB\ folder.

Note

F-Secure Anti-Virus detects Goner worm with updates from December 4th, 2001 / 16:05:50 (GMT+2)

NOTE: Although many other anti-virus companies rank Goner to their highest risk level, F-Secure is still maintaining this virus at F-Secure Radar Level 2. The data we have on this virus currently does not justify ranking it higher; we've received only limited out of samples of the virus from the field, the virus is not destructive in nature and it is very obvious for the user to spot and avoid.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More