Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • MessageLabs • F-Secure Description

A new mass-mailing email worm has been reported by MessageLabs. The message arrives with:

Subject: Hi

and message body:

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

The attached file will be approximately 39Kb and is named "gone.scr". According to antivirus vendor F-Secure, the Goner worm spreads using Microsoft® Outlook and ICQ . Scripts dropped to the mIRC client directory can be used to flood certain IRC channels as well.

If the infected attachment is opened, the worm first displays an animation dialgo box and then an erroneous error message. The worm then creates a copy of itself in the C:\Windows\System folder and installs itself as a service process via the system registry.

In addition to mass-mailing itself to addresses found in the Windows Address Book, Goner also sends itself via ICQ (if installed) by sending file transfer requests to contacts. According to F-Secure, if that person approves the file transfer, the worm sends its file to that person.

More insidiously, the worm looks for and terminates the following processes, which include components of AVP (Kaspersky), McAfee VirusScan, ConSeal PC Firewall, eSafe, Norton Personal Firewall, Sophos, Lockdown Anti-Trojan, Norton AntiVirus, McAfee PC Firewall, Safeweb Privacy Software, Trojan Defense System, Trend Micro, and ZoneAlarm:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
APLICA32.EXE
AVCONSOL.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
CFIADMIN.EXE
CFIAUDIT.EXE

CFINET.EXE
CFINET32.EXE
ESAFE.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE

LOCKDOWN2000.EXE
NAVAPW32.EXE
NAVW32.EXE
PCFWallIcon.EXE
SAFEWEB.EXE
TDS2-98.EXE
TDS2-NT.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
ZONEALARM.EXE