Following is the latest information released from McAfee.com. the W32/Goner@MM virus is in EMERGENCY status. I URGE each of you to download the latest updates from your virus protection program provider and be VERY careful about opening attachments. This one will appear to be a screen saver. If you have questions please contact me personally or contact the tech support folks with your software provider. This is NOT the badtrans b virus. This is totally new and potentially a severe problem! Joyce Gaston Reece Rootsweb Mail Administer for Meigs Co, TN, South East TN, North East TN, Raper, Gilbreath, Galbreath, Hembree, Knuckles Message Board Administrator for Gaston, Reece, Raper, Gilbreath, Galbreath, Hembree, Knuckles, ----- Original Message ----- From: <jreece@icx.net> To: <jreece@icx.net> Sent: Tuesday, December 04, 2001 8:37 PM Subject: Computer Virus Information from a Friend! > Greetings, jreece@icx.net > > I thought you would be interested in knowing about this computer Virus... > > Name: W32/Goner@MM > > Characteristics: > This mass mailing worm attempts to send itself using Microsoft Outlook to > all entries found in the Outlook Address book. It tries to delete security > software, can spread via ICQ, and an IRC bot script. It arrives in an > email message containing the following information: > Subject: Hi Body: How are you ? When I saw this screen saver, I > immediately thought about you I am in a harry, I promise you will love it! > Attachment: GONE.SCR > Running this attachment infects the local system. > > When run, the worm displays a message box entitled, "About" <IMG > src="http://vil.nai.com/images/99272a.gif"> > After a short time, another window entitled "Error" is displayed: <IMG > src="http://vil.nai.com/images/99272b.jpg"> > The worm copies itself into the WINDOWS SYSTEM folder and adds the > following registry key to load itself at startup: > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ > Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr Under Windows > 9x/ME, the worm looks for the following processes in memory: > _AVP32.EXE _AVPCC.EXE _AVPM.EXE APLICA32.EXE AVP.EXE AVP32.EXE AVPCC.EXE > AVPM.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE ESAFE.EXE FRW.EXE > ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE > LOCKDOWN2000.EXE NAVW32.EXE PCFWallICON.EXE SAFEWEB.EXE TDS2-98.EXE > TDS2-NT.EXE VSHWIN32.EXE ZONEALARM.EXE If present, the process is > terminated and all files in the directory containing that executable are > deleted, as well as all files within any subdirectories. If this action > fails, the worm may create a WININIT.INI file to delete the files upon > restart. > The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory to > send itself to ICQ users. DLL calls are made which send the worm to ICQ > contacts which are on-line. The worm also creates the file REMOTE32.INI > and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC > client to become an IRC bot, accepting instructions to initiate a Denial > of Service attack from remote IRC users who are connected to the same > channel. > > To check your system for this Virus, and to learn how to protect yourself > from computer viruses, visit the McAfee.com Clinic at > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > For complete information on this Virus, view McAfee.com's Virus > Information Library listing at > http://vil.mcafee.com/dispVirus.asp?virus_k=99272. > > This email was sent to you by joyce reece > >