Help & HowTo: Goner
Published: 05 Dec 2001 17:48 GMT
Let there be no doubt that script kiddies -- inexperienced malicious programmers -- have taken up the once lowly skill of virus writing. Goner's (w32.Goner.A@mm) pop-up displays look like a typical script kiddie Web site defacement, complete with the typical script kiddie "greetz." Besides spreading rapidly by email, and therefore posing a threat to email servers, Goner spreads via ICQ and also shuts down antivirus and firewall protection, leaving your Windows computer vulnerable to other attacks.
How it works
Goner arrives by ICQ or email bearing a subject line of "Hi" with the body text of "How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!" The attached file is gone.scr.
The payload of Goner is written in Visual Basic 6, packed with a UPX file compressor, and is 39KB in size. If executed, the worm makes copies of itself in the Windows System directory under the name gone.scr. It also adds itself to the Registry so that it executes each time the computer reboots.
Goner uses the Outbook Address Book to find addresses to send email copies of itself. If ICQ, a favorite program of script kiddies, is also present on the infected computer, Goner will attempt to spread copies of itself through that service as well.
Besides displaying a message taking credit for the worm -- "Pentagone coded by: suid tested by: ThE_SkuLL and Isatanl" -- and a traditional script kiddie greetz -- "greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are." This worm also displays a fake error message.
Goner disables antivirus and firewall protection by attempting to delete the following files:
aplica32.exe
zonealarm.exe
esafe.exe
cfiadmin.exe
cfiaudit.exe
cfinet32.exe
pcfwallicon.exe
frw.exe
vshwin32.exe
vsecomr.exe
webscanx.exe
avconsol.exe
vsstat.exe
pw32.exe
vw32.exe
vp32.exe
vpcc.exe
vpm.exe
avp32.exe
avpcc.exe
avpm.exe
avp.exe
lockdown2000.exe
icload95.exe
icmon.exe
icsupp95.exe
icloadnt.exe
icsuppnt.exe
tds2-98.exe
tds2-nt.exe
safeweb.exe
If Goner can't delete the files immediately, it will create a WININIT.INI file to delete the files upon reboot.
Removal
Most of the antivirus software companies have updated their signature files to include this worm. For more information on removing this Goner from your system, see Central Command, F-Secure, Kaspersky, Sophos, Symantec, and Trend Micro.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.
Did you find this article useful?
17 out of 34 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
