AusCERT - AL-2001.18 -- W32.Goner.A@mm Worm

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2001.18 -- W32.Goner.A@mm Worm
Date: 05 December 2001

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.18  --  AUSCERT ALERT
                             W32.Goner.A@mm Worm
                               5 December 2001

===========================================================================

PROBLEM:  

  AusCERT has been made aware of the existence of a new mass mailing
  worm "Goner" that spreads itself via email attachments, IRC and ICQ.

  The execution of this file causes the infected host computer to begin
  mass-mailing the virus using the Microsoft Outlook address book.
  The virus will also attempt to delete files of common anti-virus and
  firewall products. This is disguised by an 'About' window followed by a
  fake error message that is designed to lead users to believe that the
  program failed to execute.

  AusCERT has received reports of the virus in Australia. "Goner" has spread
  rapidly overseas and it is recommended that members take measures to
  protect themselves.

  Messages sent by the "Goner" virus have the following characteristics:
  - a subject line of "Hi"
  - an attachment called "Gone.scr" that is 38,912 bytes long (Outlook
    reports it as "gone.scr (38 KB)")
  - the body of the message contains the text:

    How are you ? 
    When I saw this screen saver, I immediately thought about you 
    I am in a harry, I promise you will love it! 

  When run, the worm performs the following actions:
  - displays an 'About' box containing information on who wrote and
    tested the program (these may be fake).
  - displays an error window with the text "Error While Analyze DirectX!".
  - iterates through the Microsoft Outlook address book, sending copies
    of itself to all addresses found there.
  - attempts to stop and delete common anti-virus and firewall products.
    If this step fails due to access errors, "Goner" will modify the
    WININIT.INI file to delete the files on the next reboot.
  - uses an ICQ DLL, if installed, that will enable it to spread itself via
    ICQ messages.
  - adds an IRC script that contains instructions to launch Denial of Service
    attacks against other IRC users. This script is added to the mIRC
    SCRIPT.INI file.
  - adds itself into the registry as a run-on-startup application.


PLATFORM:

  "Goner" is a PE (Portable Executable) program, and as such will run on any
  32-bit Windows platform, including Windows 9X, ME, NT, 2000 and XP.
  Depending on access restrictions in NT, 2000 and XP some of the above
  actions may fail.


IMPACT:

  "Goner" has the ability to degrade network and system performance
  and possibly cause a Denial of Service attack on other systems. Due to
  its ability to disable anti-virus programs, it can also increase the risk
  of infection by other viruses.


RECOMMENDATIONS: 

  A. Detection

  Since "Goner" has the ability to impair virus scanners you may need to
  manually check for the virus' presence. Follow the instructions supplied
  by virus scanner vendors (see the links below).

  Organisations should consider blocking or quarantining executable
  files at their email gateway. This should prevent the "Goner" virus
  from reaching vulnerable computers in the first place, however it is
  recommended that all organisations contact their anti-virus vendors for an
  updated virus signature file that will detect this virus.

  B. Recovery

  Recovery from the "Goner" virus is made difficult by its ability to disable
  anti-virus programs. Follow the recovery steps listed at the following
  sites:

  http://vil.nai.com/vil/virusSummary.asp?virus_k=99272
  http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html
  http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
  http://www.sophos.com/virusinfo/analyses/w32gonera.html
  http://www.europe.f-secure.com/v-descs/goner.shtml

  C. User Education

  System Administrators are urged to inform their users about proper
  precautions with regard to handling email attachments.

  AusCERT recommends that sites should update and check their virus
  defences and either delete or quarantine any email messages or
  attachments that resemble those described above or in the following
  links.

  D. Update Anti-Virus Packages

  System Administrators and users are urged to ensure that the latest
  anti-virus software is installed and that it is using the most
  current up-to-date virus databases.

  More information can be found at:

  http://vil.nai.com/vil/virusSummary.asp?virus_k=99272
  http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html
  http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
  http://www.sophos.com/virusinfo/analyses/w32gonera.html
  http://www.europe.f-secure.com/v-descs/goner.shtml


  AusCERT will continue to monitor the situation and we would
  appreciate any reports regarding this activity. If you have any
  information, comments or questions about this threat, please
  contact us.

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST). On call
                after hours for emergencies.
                   
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPA3p3Sh9+71yA2DNAQG9sAP6AprcDxh0w8oFtinxT653ZESbua3LyfpI
Z0EAV8YPVFBMr4lFuRdoGd7lHriM5Syyqhh1fo+DKYLGby55F2VqXZICty2p0Jfe
PA5mHeMwuaruSo2B+Gi9AtArBMMwhzP2zBV0cFeIuiUF4TROQ9IyIYHnfk90xbtf
DtuxMdnR9cw=
=dmSD
-----END PGP SIGNATURE-----