Going, Going, Goner

The latest viral threat can use ICQ and mIRC to propagate itself, and can delete some security software from your systems. Read on to learn all of Goner's methods of attack, its payload, and how to remove it if you've been infected.

 By Jim Freund
Page 1 of 3
Print Article

It's that time of year again. Invitations coming in left and right; little unexpected presents from folk we barely know. Unfortunately, what we're referring to has nothing to do with Yuletide, but rather e-mail attachments with viral payloads. The gifts you receive may have nice wrapping, but if you open one of them, you're a goner.

W32/Goner is, in fact, the name of the latest in the recent series of mass-mailer viruses that exploit Outlook. Its payload is not, in and of itself, particularly deadly. The greatest danger is that Goner can delete directories containing security software, and can exploit the instant message program, ICQ, and possibly mIRC. As the worm propagates, you might experience the equivalent of a Denial of Service attack as your e-mail gateway is temporarily flooded. Goner's overall significance is probably in the vulnerable state it leaves a system in if it is not eradicated, and the potential it holds to become part of a multi-tiered attack, such as that which Nimda used.

Most commonly, Goner is delivered as an e-mail which appears as follows:

Subject:	Hi!

Body:	How are you ?
	When I saw this screen saver, I immediately thought about you
	I am in a harry, I promise you will love it!

Of course, minor variants on that text are likely to turn up.

As mentioned, another method Goner uses to propagate itself is through ICQ. Similar to the manner in which mass-mailer viruses use the victims' address books as their next targets, the worm attempts to initiate a file transfer with anyone in ICQ's contact list. Should the intended recipient approve the file transfer, Goner sends a copy of itself.

mIRC users may also be vulnerable. If the chat program is present, the worm creates the file REMOTE32.INI and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC client to initiate a Denial of Service attack from remote IRC users who are connected to the same channel.

This article was originally published on Dec 5, 2001
Get the Latest Scoop with Networking Update Newsletter