Be careful of ANY attachment that ends in scr. This worm tries to wipe out your anti-virus program among other things. Please note that the lists of files are the files the worm is trying to destroy...not the worm itself. Don't delete them. Linda Bee <A HREF="http://www.f-secure.com/v-descs/goner.shtml">F-Secure Computer Virus Information Pages: Goner</A> http://www.f-secure.com/v-descs/goner.shtml F-Secure Virus Descriptions <A HREF="http://www.f-secure.com/v-descs/info/name.shtml">NAME:</A> Goner <A HREF="http://www.f-secure.com/v-descs/info/alias.shtml">ALIAS:</A> W32/[email protected], I-Worm.Goner, Gone, Pentagone, Pentagon Goner is a mass-mailer written in Visual Basic. It appeared on December 4th, 2001. The worm is a PE EXE file about 39 kilobytes long, it is packed with UPX file compressor. The worm's unpacked file is about 145 kilobytes long. The worm spreads itself using Outlook and ICQ if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC channels. When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a messagebox with a fake error message: Error While Analyze DirectX! The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager. To spread itself the worm connects to Outlook Address Book, reads e-mail addresses from it and sends itself to all these addresses. The infected message looks like that: Subject: Hi Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment: Gone.scr The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. The worm looks for and terminates the following processes: APLICA32.EXE ZONEALARM.EXE ESAFE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE PCFWallIcon.EXE FRW.EXE VSHWIN32.EXE VSECOMR.EXE WEBSCANX.EXE AVCONSOL.EXE VSSTAT.EXE PW32.EXE VW32.EXE VP32.EXE VPCC.EXE VPM.EXE AVP32.EXE AVPCC.EXE AVPM.EXE AVP.EXE LOCKDOWN2000.EXE ICLOAD95.EXE ICMON.EXE ICSUPP95.EXE ICLOADNT.EXE ICSUPPNT.EXE TDS2-98.EXE TDS2-NT.EXE SAFEWEB.EXE The worm also attempts to delete these files and if deletion fails, it creates WININIT.INI file that will delete these files on startup. The worm also tries to delete C:\SAFEWEB\ folder. If the worm found and killed at least one process of the listed above, it deletes its file from a folder, where it was first started from, except if it was started from Windows System folder. F-Secure Anti-Virus detects Goner worm with updates from December 4th, 2001 / 16:05:50 (GMT+2) ftp://ftp.f-secure.com/anti-virus/updates/fsupdate.exe ftp://ftp.europe.f-secure.com/anti-virus/updates/fsupdate.exe [Analysis: Alexey Podrezov; F-Secure Corp.; December 4th, 2001] ********************************************************* W32/Goner New worm spreading in email <A HREF="http://altfarm.mediaplex.com/ad/fm/1177-5086-1377-5">W32/Goner</A> - From About.com Anti-Virus Site http://antivirus.about.com/library/weekly/aa120401a.htm A new mass-mailing email worm has been reported by <A HREF="http://antivirus.about.com/gi/dynamic/offsite.htm?site=http://www.messagelabs.com">MessageLabs</A>. The message arrives with: Subject: Hi and message body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! The attached file will be approximately 39Kb and is named "gone.scr". According to antivirus vendor <A HREF="http://antivirus.about.com/gi/dynamic/offsite.htm?site=http://www.f%2Dsecure.com">F-Secure</A>, the Goner worm spreads using Microsoft® Outlook and ICQ . Scripts dropped to the mIRC client directory can be used to flood certain IRC channels as well. If the infected attachment is opened, the worm first displays an animation dialgo box and then an erroneous error message. The worm then creates a copy of itself in the C:\Windows\System folder and installs itself as a service process via the system registry. In addition to mass-mailing itself to addresses found in the Windows Address Book, Goner also sends itself via ICQ (if installed) by sending file transfer requests to contacts. According to F-Secure, if that person approves the file transfer, the worm sends its file to that person. More insidiously, the worm looks for and terminates the following processes, which include McAfee's realtime scanner (VShield), AVP, ZoneAlarm, LockDown, and eSafe: APLICA32.EXE AVCONSOL.EXE AVP32.EXE AVP.EXE AVPCC.EXE AVPM.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE ESAFE.EXE FEWEB.EXE FRW.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE LOCKDOWN2000.EXEP CFWallIcon.EXEP W32.EXE TDS2-98.EXE TDS2-NT.EXE VW32.EXE VP32.EXE VPCC.EXE VPM.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE ZONEALARM.EXE The Goner worm will also try to delete these files and, if it fails, will create a WININIT.INI file to delele the files on the next system startup. Shutting down and/or deleting these protective programs leaves the system vulnerable to other malicious code/malicious person threats. Removing the worm Antivirus software will require updating to definition files released December 4, 2001 or later in order to detect and remove the worm. To manually remove the worm, reboot into DOS mode using a clean system disk, change to the Windows\System directory and delete the file "gone.scr".