Goner is a mass-mailer written in Visual Basic. It was found on
December 4th, 2001.
NOTE: Although many other anti-virus companies rank Goner to their
highest risk level, F-Secure is still maintaining this virus at
F-Secure Radar Level 2.
The data we have on this virus currently does not justify ranking
it higher; we've received only limited out of samples of the virus
from the field, the virus is not destructive in nature and it is
very obvious for the user to spot and avoid.
The worm spreads itself using Outlook e-mail messages as GONE.SCR
attachment. It also spreads through ICQ Instant Messanger if it's
installed on an infected computer. It also drops a few scripts to
MIRC client directory. These scripts can be used to flood certain
IRC chat channels.
Goner also tries to delete security programs, such as firewalls
and anti-virus programs from the system. Although this sounds
serious, it doesn't actually help the spreading of the virus
much: the virus can only delete security programs if it is able
to execute itself; thus the security program was not able to stop
Goner anyway, and deleting such programs doesn't help the virus.
This technique does make the system more vulnerable to OTHER
viruses and threats, though.
The worm is a PE EXE file about 39 kilobytes long, it is packed
with UPX file compressor. The worm's unpacked file is about 145
kilobytes long.
When the worm's file is run, it shows a dialog box with greetings
and some animation. This is done to disguise itself. Then it
shows a messagebox with a fake error message:
Error While Analyze DirectX!
The worm copies itself as GONE.SCR to Windows System folder and
tries to creates its startup key in the Registry. The worm runs
as a service process, so its task is not visible in Task Manager.
To spread itself the worm connects to Outlook Address Book, reads
e-mail addresses from it and sends itself to all these addresses.
The infected message looks like that:
Subject: Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: Gone.scr
The worm also attempts to send itself through ICQ if it is
installed on an infected computer. It uses a standard ICQ
component to send out its file. The worm sends file transfer
request to a contact of an infected user who appears to be
on-line (in any mode) and if that person approves file transfer,
the worm sends its file to that person. This way all ICQ contacts
of an infected user will get the worm.
The worm looks for and terminates the following processes:
The worm deletes all files in the directory and all
subdirectories where the file (which task was killed) is located.
If deletion fails, the worm creates WININIT.INI file that will
delete these files on next Windows startup.
The worm also tries to delete C:\SAFEWEB\ folder.
F-Secure Anti-Virus detects Goner worm with updates from December
4th, 2001 / 16:05:50 (GMT+2)
NOTE: If you can't get the updates through the usual Backweb
server, you can download it directly from here:
