Sophos

W32/Goner-A

Aliases
  • I-Worm.Goner
  • Gone
  • W32/Goner@MM
  • Pentagone
  • pentagon
Category
Type
What to do

Summary

 
Included in our products from January 2002 (3.53)
Detected by All Sophos products

Action

Please read the instructions for removing W32/Goner-A.

More Information

W32/Goner-A spreads by email as a file attachment called GONE.SCR. It uses this name to pose as a screensaver. The worm arrives in an email with the following characteristics:

Subject: Hi

Message text:
How are you ?
When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

W32/Goner-A attempts to disable anti-virus products installed on the infected computer. It does this by looking for the following processes:

_AVP32.EXE,
_AVPCC.EXE,
_AVPM.EXE,
APLICA32.EXE,
AVCONSOL.EXE,
AVP.EXE,
AVP32.EXE,
AVPCC.EXE,
AVPM.EXE,
CFIADMIN.EXE,
CFIAUDIT.EXE,
CFINET.EXE
CFINET32.EXE,
ESAFE.EXE,
FRW.EXE,
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE,
ICLOADNT.EXE,
ICMON.EXE,
ICSUPP95.EXE,
ICSUPPNT.EXE,
LOCKDOWN2000.EXE,
NAVAPW32.EXE,
NAVW32.EXE,
PCFWallIcon.EXE,
TDS2-98.EXE,
TDS2-NT.EXE,
SAFEWEB.EXE.
VSHWIN32.EXE,
VSECOMR.EXE,
VSSTAT.EXE,
WEBSCANX.EXE,
ZONEALARM.EXE.

If the worm finds one of the above processes, it will attempt to terminate it. The worm will also attempt to delete all files from any directory containing files of those names, and creates a file called wininit.ini in order to delete any remaining files the next time Windows is restarted.

Sophos recommends customers check that affected computers are correctly running the latest version of Sophos Anti-Virus.

The worm deletes all files from C:\SAFEWEB\

The worm also infects the Internet Relay Chat client mIRC. It does this by dropping an mIRC script file REMOTE32.INI, in the mIRC folder and adding a section to MIRC.INI to load the script in the dropped file when the victim uses mIRC.

It also propagates using the messaging program ICQ.

The worm creates a copy of itself named gone.scr in the Windows System directory. In order to ensure that the worm is run each time Windows is restarted it creates a registry key containing the name of the worm file in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

When the worm is run for the first time, it shows a short graphical display and then displays a bogus error message. This is designed to fool the recipient into believing they received a genuine screensaver and that it has aborted for some reason.

W32/Goner-A graphical display

W32/Goner-A error message

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer