Worm:W32/Goner

Classification

Category :

Malware

Type :

Worm

Summary

Goner is a mass-mailer written in Visual Basic. It was found on December 4th, 2001.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm spreads itself using Outlook email messages as GONE.SCR attachment. It also spreads through ICQ Instant Messanger if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC chat channels. Goner also tries to delete security programs, such as firewalls and anti-virus programs from the system. Although this sounds serious, it doesn't actually help the spreading of the virus much: the virus can only delete security programs if it is able to execute itself; thus the security program was not able to stop Goner anyway, and deleting such programs doesn't help the virus. This technique does make the system more vulnerable to OTHER viruses and threats, though. The worm is a PE EXE file about 39 kilobytes long, it is packed with UPX file compressor. The worm's unpacked file is about 145 kilobytes long. When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a messagebox with a fake error message:

The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager. To spread itself the worm connects to Outlook Address Book, reads email addresses from it and sends itself to all these addresses. The infected message looks like that:

Subject:Hi Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment:Gone.scr

The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. This way all ICQ contacts of an infected user will get the worm. The worm looks for and terminates the following processes:

  • APLICA32.EXE
  • ZONEALARM.EXE
  • ESAFE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET32.EXE
  • CFINET.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • PCFWallIcon.EXE
  • FRW.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • AVCONSOL.EXE
  • VSSTAT.EXE
  • NAVAPW32.EXE
  • NAVW32.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • AVP.EXE
  • LOCKDOWN2000.EXE
  • ICLOAD95.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICLOADNT.EXE
  • ICSUPPNT.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • SAFEWEB.EXE

The worm deletes all files in the directory and all subdirectories where the file (which task was killed) is located. If deletion fails, the worm creates WININIT.INI file that will delete these files on next Windows startup. The worm also tries to delete C:\SAFEWEB\ folder.

Note

F-Secure Anti-Virus detects Goner worm with updates from December 4th, 2001 / 16:05:50 (GMT+2)

NOTE: Although many other anti-virus companies rank Goner to their highest risk level, F-Secure is still maintaining this virus at F-Secure Radar Level 2. The data we have on this virus currently does not justify ranking it higher; we've received only limited out of samples of the virus from the field, the virus is not destructive in nature and it is very obvious for the user to spot and avoid.