Going, Going, Goner

The latest viral threat can use ICQ and mIRC to propagate itself, and can delete some security software from your systems. Read on to learn all of Goner's methods of attack, its payload, and how to remove it if you've been infected.

By Jim Freund | Posted Dec 5, 2001
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

It's that time of year again. Invitations coming in left and right; little unexpected presents from folk we barely know. Unfortunately, what we're referring to has nothing to do with Yuletide, but rather e-mail attachments with viral payloads. The gifts you receive may have nice wrapping, but if you open one of them, you're a goner.

W32/Goner is, in fact, the name of the latest in the recent series of mass-mailer viruses that exploit Outlook. Its payload is not, in and of itself, particularly deadly. The greatest danger is that Goner can delete directories containing security software, and can exploit the instant message program, ICQ, and possibly mIRC. As the worm propagates, you might experience the equivalent of a Denial of Service attack as your e-mail gateway is temporarily flooded. Goner's overall significance is probably in the vulnerable state it leaves a system in if it is not eradicated, and the potential it holds to become part of a multi-tiered attack, such as that which Nimda used.

Propogation
Most commonly, Goner is delivered as an e-mail which appears as follows:

Subject:	Hi!

Body:	How are you ?
	When I saw this screen saver, I immediately thought about you
	I am in a harry, I promise you will love it!

Attachment:gone.scr
Of course, minor variants on that text are likely to turn up.

As mentioned, another method Goner uses to propagate itself is through ICQ. Similar to the manner in which mass-mailer viruses use the victims' address books as their next targets, the worm attempts to initiate a file transfer with anyone in ICQ's contact list. Should the intended recipient approve the file transfer, Goner sends a copy of itself.

mIRC users may also be vulnerable. If the chat program is present, the worm creates the file REMOTE32.INI and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC client to initiate a Denial of Service attack from remote IRC users who are connected to the same channel.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter