Going, Going, Goner

By Jim Freund | Dec 5, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/934131/Going-Going-Goner.htm

It's that time of year again. Invitations coming in left and right; little unexpected presents from folk we barely know. Unfortunately, what we're referring to has nothing to do with Yuletide, but rather e-mail attachments with viral payloads. The gifts you receive may have nice wrapping, but if you open one of them, you're a goner.

W32/Goner is, in fact, the name of the latest in the recent series of mass-mailer viruses that exploit Outlook. Its payload is not, in and of itself, particularly deadly. The greatest danger is that Goner can delete directories containing security software, and can exploit the instant message program, ICQ, and possibly mIRC. As the worm propagates, you might experience the equivalent of a Denial of Service attack as your e-mail gateway is temporarily flooded. Goner's overall significance is probably in the vulnerable state it leaves a system in if it is not eradicated, and the potential it holds to become part of a multi-tiered attack, such as that which Nimda used.

Propogation
Most commonly, Goner is delivered as an e-mail which appears as follows:

Subject:	Hi!

Body:	How are you ?
	When I saw this screen saver, I immediately thought about you
	I am in a harry, I promise you will love it!

Attachment:gone.scr
Of course, minor variants on that text are likely to turn up.

As mentioned, another method Goner uses to propagate itself is through ICQ. Similar to the manner in which mass-mailer viruses use the victims' address books as their next targets, the worm attempts to initiate a file transfer with anyone in ICQ's contact list. Should the intended recipient approve the file transfer, Goner sends a copy of itself.

mIRC users may also be vulnerable. If the chat program is present, the worm creates the file REMOTE32.INI and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC client to initiate a Denial of Service attack from remote IRC users who are connected to the same channel.

Payload
Fake error from GonerWhen the file attachment is executed, the malicious program displays what appears to be a splash screen for a supposedly legitimate screensaver, and then an error message, in an attempt to lull the user into thinking that the screensaver simply didn't work. Of course, there's other dirty work afoot. The program copies itself to either C:\WINNT\SYSTEM32\ or C:\WINDOWS\SYSTEM32 (depending on the OS) as SCR.EXE. As with several other recent viruses, such as the recent BadTrans.B, Goner adds an entry to the Windows registry as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR\SYSTEM\gone.scr
This causes the program to load again upon the computer's reboot, thereby perpetuating its existence on the machine. So far this has all been about propagation. What makes Goner insidious is its ability to look for and terminate several anti-virus and security programs or processes. These include:
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • APLICA32.EXE
  • AVCONSOL.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • ESAFE.EXE
  • FEWEB.EXE
  • FRW.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • LOCKDOWN2000.EXE
  • PCFWallIcon.EXE
  • PW32.EXE
  • SAFEWEB.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VP32.EXE
  • VPCC.EXE
  • VPM.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • VW32.EXE
  • WEBSCANX.EXE
  • ZONEALARM.EXE

If one of these processes is present, it is terminated, and all files in the directory tree where the executable is located are erased. Failing that, Goner may create a WININIT.INI file to try the task again upon a Windows restart.

Eradication
To manually remove the effects of a machine infected with Goner, restart the computer in Safe mode or end the process on the part of the worm that is running in memory. (Wait for at least half a minute to make sure there are no vestiges of the program left.) Then reverse the changes that the worm made to the registry, delete the files added to the SYSTEM32 directory, restart the computer, reinstall your preferred antivirus software, and run a complete scan and cleansing.

As always, an ounce of prevention is worth a pound of cure. Educate your users about attachments and files accepted through instant messaging software. In this instance, let them know about the possibility that mIRC may become infected. Never allow Outlook or Outlook Express to automatically launch attachments. Make sure all signature files for your anti-virus software and security patches for Outlook are up-to-date. (Since Goner first appeared on December 4, this is likely to be necessary.)

And finally, never look a gift (or Trojan) horse in the mouth.

--
Jim Freund is the Managing Editor of CrossNodes.

For more anti-viral advice, read Don't Let Viruses Knock You Out.