Symantec Security Response - W32.Goner.A@mm Due to the increased rate of submission and level of damage, Symantec Security Response is upgrading W32.Goner.A@mm from Category 3 to Category 4.
W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE)* file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks.
Removal Tool Symantec Security Response has posted a removal tool to assist in eradicating this worm. Please go here to read the instructions and download the removal tool.
Virus Type: Worm
Infection Length: 38,912 bytes
W32.Goner.A@mm is capable of spreading over the ICQ network. If ICQ is installed on an infected machine, the worm will do the following: 1. Check for the version of the ICQ .dll file that contains the APIs that will be used. If the correct version is found, the worm proceeds. 2. Disable all notification. This means that the user cannot see what the worm is doing in the background. 3. Retrieve a list of all "buddies" who are currently online. 4. Retrieve information about each user individually. This information is required to be able to send files. 5. Send itself to all users on the list. 6. Re-enable all notifications.
If mIRC is installed, this worm can insert scripts into the mIRC folder. This allows the computer to be used in DOS attacks.
W32.Goner.A@mm Discovered on: December 4, 2001 Last Updated on: December 4, 2001 at 09:15:56 PM PST
Printer-friendly version Tell a Friend
W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE)* file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks.
Removal Tool Symantec Security Response has posted a removal tool to assist in eradicating Damage:
Payload: Upon execution Large scale e-mailing: Send itself to all users in Outlook Address Books Deletes files: Attemps to delete several files, including NAV Distribution:
Subject of email: Hi Name of attachment: Gone.scr Size of attachment: 38,912 bytes
Technical description:
W32.Goner.A@mm starts by displaying the following window.
In the background, the worm starts iterating the Microsoft Outlook address book and sends itself to all addresses in the address book. The email appears as follows.
The worm has been packed using a known Portable Executable (PE) packer. The size of the worm unpacked is approximately 159 KB.
The worm adds the value
C:\%SYSTEM%\gone.scr C:\%SYSTEM%\gone.scr
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
NOTES:
%SYSTEM% is the path to the Windows System folder. In most cases this would be C:\Windows\System; however, the location could be different if the Windows System folder has been installed to a different location. The key has the same value as the name of the file that is being called.
Once the registry key has been added, the worm will terminate the processes of common anti-virus and firewall products found on the computer from the list below:
APLICA32.EXE AVCONSOL.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPM.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE ESAFE.EXE FRW.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE LOCKDOWN2000.EXE NAVAPW32.EXE NAVW32.EXE PCFWallIcon.EXE SAFEWEB.EXE TDS2-98.EXE TDS2-NT.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE ZONEALARM.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE
If such a process is found, the worm will delete the executable file and all files contained within the same directory and subdirectories where the given file resides. If the files are in use and cannot be deleted, the file %SYSTEM%\Wininit.ini is created, and is used to delete the files when the computer restarts.
NOTE: On Windows NT/2000/XP machines, the files are deleted by usage of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
where the files to be deleted are present in the value
PendingFileRenameOperations
Removal instructions:
Symantec Security Response has posted a removal tool to assist in eradicating this worm. Please go here to read the instructions and download the removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.removal.tool.html
BE CAREFUL IN WHAT YOU OPEN!!!!!!!!
Huggs, Pammierose
How it changed my life:I hope it doesnt!
You can join Unsolved Mysteries and post your own mysteries or
interesting stories for the world to read and respond to Click hereScroll all the way down to read replies.Show all stories by Author:  29928 ( Click here )
Spring is coming |
