IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 01-029.1

"VBS/Mass-Mailing Worm, W32/Goner.A"
December 05, 2001

[Updates to NIPC Alert 01-029 are in bold]  

The National Infrastructure Protection Center (NIPC) continues to monitor a mass-mailing worm called W32/Goner.A. This is a very fast-spreading mass-mailing worm that appears to take advantage of Visual Basic Scripting built into Microsoft Outlook and Outlook Express (Windows-based), then propagates using e-mail and an online instant messenger (ICQ). Developing information continues to indicate that this worm mails itself to all addresses within the infected computer's Outlook or Outlook Express address book, sets itself as a server process so it does not show up in the task manager, and deletes the anti-virus definitions from many common anti-virus products. It also searches out and terminates many commercial anti-virus software and firewall product processes.

The e-mail sent, to date, is always the same:

Subject: Hi
Attachment: gone.scr

Message text:
"How are you?
When I saw this screen saver, I immediately thought about you
I am in a harry[sic], I promise you will love it! "

Goner spreads itself via ICQ's online instant messaging program client using the library file ICQMAPI.DLL. Goner copies that DLL from the directory C:\PROGRAM FILES\ICQ\ to the Windows system directory. Goner then sends itself to all on-line users (regardless of mode) from an internal list of online users, via ICQ file transfer. Goner also answers to requests from other users requesting file transfers.

In order to hide its presence and actions, Goner does several things within the system. First, Goner sets itself up as a server process so it does not show up in the task manager as a running program. It then writes itself to the Windows registry so the worm is restarted upon reboot. Goner then searches out and terminates processes from many commercial anti-virus software packages and many commercial firewall products, including those for personal use. This renders the anti-virus software and firewall software temporarily useless, however infected users may still believe they are protected.

Recommended Actions:

Update virus definitions and scan for presence of the worm. Ensure virus definitions include the signature for Goner or request definition updates from your technical support personnel. Most major anti-virus companies have provided new definition files for this virus. If your definition file pre-dates December 04, 2001, it is not current. Older definitions do not alert on this worm.

For individual users:

Consider deleting unexpected e-mails that contain file attachments without opening them.

Exercise particular caution with respect to e-mails that contain attachments that end in .exe, .vbs, .bat, .scr, and .pif.

Consider turning off all script and scripting within the e-mail client security settings.

Consider upgrading your e-mail client. Outlook 2002 has many security features enabled by default that would block propagation of Goner and certain other mass mailing e-mail worms.

These actions may help protect you against this worm and many other mass-mailingmalware products in the wild today.

For Corporate users and system administrators:

Consider blocking ICQ traffic during an infection to block further propagation. ICQ client-to-server communication is conducted over TCP port 5190.

Consider blocking all messages that have attachments with extensions mentioned above. NIPC recommends having a virus checker at the mail server point that scans all incoming and outgoing messages for malicious code, as well as blocking executable file extensions.

The anti-virus software industry is aware of Goner and is providing signature files to download to detect and remove it from infected hosts. Full descriptions and removal instructions are located at the following anti-virus web sites:

F-Secure Corp.
http://www.f-secure.com/v-descs/goner.shtml

Network Associates Inc./McAfee.com
http://vil.mcafee.com/dispVirus.asp?virus_k=99272&

Symantec Corp.
http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html

Trend Micro Inc. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A

As always, the NIPC encourages computer users to keep anti-virus and systems software current by frequently checking vendor web sites for updates, and routinely checking for alerts issued by the NIPC, FedCIRC, CERT/CC, and similar organizations.

The NIPC encourages recipients of this alert to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Recipients may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov.