Goner worm spreads, tries to delete firewalls

A new high-risk worm that attempts to delete a number of program files on infected computers, including firewall applications, is spreading quickly, according to several antivirus firms.

The Goner worm spreads by way of an attachment sent to users of Microsoft Corp.'s e-mail programs Microsoft Outlook and Outlook Express and, in a change from the usual worm formula, through the chat application ICQ, according to statements from vendors of antivirus products including McAfee.com Corp., Computer Associates International Inc. and Trend Micro Inc.

Goner doesn't exploit any security vulnerabilities like the recent Badtrans worm (see story), but instead must have its attachment double-clicked in order to be launched, said April Goostree, virus research manager at Sunnyvale, Calif.-based McAfee.com.

Goner appears in a user's in-box as an e-mail with the subject line "Hi." The body of the message reads: "How are you? When I saw this screen saver, I immediately thought about you ... I am in a harry [sic], I promise you will love it!" The mail also includes an attachment called Gone.SCR, which appears to be a screen saver.

When the attachment is double-clicked, the worm sends itself to everyone in the victim computer's address book, the antivirus companies said. Goner also tries to spread through the ICQ chat program, sending a copy of itself to all online users, Tokyo-based Trend Micro said in an online statement. The worm installs a backdoor program that is activated whenever the IRC chat application is launched and that can be used in denial-of-service attacks, Trend Micro said. After the attachment is double-clicked, a window pops up, which includes credits for the virus' writer and its testers.

After launch, Goner attempts to locate and delete several programs, including security programs like Zone Labs Inc.'s ZoneAlarm firewall application, Goostree said. Other files it attempts to delete include antivirus programs from Symantec Corp. and Command Central Inc. and security applications from Lockdown Corp. and SafeWeb Inc., according to McAfee.com and Trend Micro.

The number of users infected with Goner is already "very, very large," Goostree said, although she didn't have an exact number available. "I would imagine you're going to see corporations shutting down their mail servers" to deal with the worm, she said.

Users are advised to update their virus definitions, visit the Web site of their antivirus provider and not open unexpected attachments.

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon