From: LISTOWNER <>
Subject: [RUPP] New Virus/Trojan - W32/Goner.A, "Goner Screen Saver"
Date: Fri, 07 Dec 2001 01:20:07 -0500
Just in case any of you haven't heard of the latest infection, the "Goner
Screen Saver", please read the following. Of course, most of you already
know not to open attachments to emails, BUT..... just in case some of
you are "newbies", you should read and heed the warning.
(PLEASE DO NOT REPLY TO THIS ON THE LIST. IF YOU NEED
TO DISCUSS IT, EMAIL ME PRIVATELY. THANKS)
Regards,
SgtGeorge
George W. Durman
Listowner
= = = = = = = = = = =
For those of you who may have been hit by the W32/Goner.A "Screen Saver"
worm, at the end of this message are some recommended actions and websites
that may be able to assist.
SA Jane B. Marazzo
FBI Philadelphia
215-418-4411
InfraGard Philadelphia Chapter
National: http://www.nipc.gov/
ALERT 01-029.1
"VBS/Mass-Mailing Worm, W32/Goner.A"
December 05, 2001
[Updates to NIPC Alert 01-029 are included]
The National Infrastructure Protection Center (NIPC) continues to monitor a
mass-mailing worm called W32/Goner.A. This is a very fast-spreading
mass-mailing worm that appears to take advantage of Visual Basic Scripting
built into Microsoft Outlook and Outlook Express (Windows-based), then
propagates using e-mail and an online instant messenger (ICQ.) Developing
information continues to indicate that this worm mails itself to all
addresses within the infected computer's Outlook or Outlook Express address
book, sets itself as a server process so it does not show up in the task
manager, and deletes the anti-virus definitions from many common anti-virus
products. It also searches out and terminates many commercial anti-virus
software and firewall product processes.
The E-Mail sent, to date, is always the same:
Subject: Hi
Attachment: gone.scr
Message text:
"How are you?
When I saw this screen saver, I immediately thought about you
I am in a harry[sic], I promise you will love it! "
Goner spreads itself via ICQ's online instant messaging program client using
the library file ICQMAPI.DLL. Goner copies that DLL from the directory
C:\PROGRAM FILES\ICQ\ to the Windows system directory. Goner then sends
itself to all on-line users (regardless of mode) from an internal list of
online users, via ICQ file transfer. Goner also answers to requests from
other users requesting file transfers.
In order to hide its presence and actions, Goner does several things within
the system. First, Goner sets itself up as a server process so it does not
show up in the task manager as a running program. It then writes itself to
the Windows registry so the worm is restarted upon reboot. Goner then
searches out and terminates processes from many commercial anti-virus
software packages and many commercial firewall products, including those for
personal use. This renders the anti-virus software and firewall software
temporarily useless, however infected users may still believe they are
protected.
Recommended Actions:
Update virus definitions and scan for presence of the worm. Ensure virus
definitions include the signature for Goner or request definition updates
from your technical support personnel. Most major anti-virus companies have
provided new definition files for this virus. If your definition file
pre-dates 4 December 2001, it is not current. Older definitions do not alert
on this worm.
For individual users:
Consider deleting unexpected e-mails that contain file attachments without
opening them.
Exercise particular caution with respect to e-mails that contain attachments
that end in .exe, .vbs, .bat, .scr, and .pif.
Consider turning off all script and scripting within the e-mail client
security settings.
Consider upgrading your e-mail client. Outlook 2002 has many security
features enabled by default that would block propagation of Goner and
certain other mass mailing e-mail worms.
These actions may help protect you against this worm and many other
mass-mailingmalware products in the wild today.
For Corporate users and system administrators:
Consider blocking ICQ traffic during an infection to block further
propagation. ICQ client-to-server communication is conducted over TCP port
5190.
Consider blocking all messages that have attachments with extensions
mentioned above. NIPC recommends having a virus checker at the mail server
point that scans all incoming and outgoing messages for malicious code, as
well as blocking executable file extensions.
The anti-virus software industry is aware of Goner and is providing
signature files to download to detect and remove it from infected hosts.
Full descriptions and removal instructions are located at the following
anti-virus Web sites:
F-Secure Corp.
http://www.f-secure.com/v-descs/goner.shtml
Network Associates Inc./McAfee.com
<http://vil.mcafee.com/dispVirus.asp?virus_k=99272&>;
Symantec Corp.
<http://www.symantec.com/avcenter/venc/data/ type="text/javascript">DisplayMail('mm.html','w32.goner.a');>
Trend Micro Inc.
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A>;
As always, the NIPC encourages computer users to keep anti-virus and systems
software current by frequently checking vendor web sites for updates, and
routinely checking for alerts issued by the NIPC, FedCIRC, CERT/CC, and
similar organizations.
The NIPC encourages recipients of this alert to report computer intrusions
to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC,
and to other appropriate authorities. Recipients may report incidents online
at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and
Warning Unit at (202) 323-3205, 1-888-585-9078 or .