W32/Goner@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4174 (2001-12-04)

Updated DAT

4346 (2004-03-31)

Minimum Engine

5400.1158

File Length

38,912

Description Added

2001-12-04

Description Modified

2001-12-10

Malware Proliferation

Characteristics

This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It tries to delete security software, can spread via ICQ, and drops an IRC bot script. It arrives in an email message containing the following information:

Subject: Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Running this attachment infects the local system.

When run, the worm displays a message box entitled, "About"

After a short time, another window entitled "Error" is displayed:

The worm copies itself into the "WINDOWS SYSTEM" folder and adds the following registry key to load itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C:\%WINDIR%\%SYSTEM%\gone.scr=C:\%WINDIR%\%SYSTEM%\gone.scr

The exact location is depending on the windows installations options, but on most Windows 9x/ME systems it'll be C:\WINDOWS\SYSTEM\GONE.SCR , whereas on WinNT based systems it would be C:\WINNT\SYSTEM32\GONE.SCR.

Under Windows 9x/ME, the worm looks for the following processes in memory:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
APLICA32.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
ESAFE.EXE
FRW.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
LOCKDOWN2000.EXE
NAVW32.EXE
PCFWallICON.EXE
SAFEWEB.EXE
TDS2-98.EXE
TDS2-NT.EXE
VSHWIN32.EXE
ZONEALARM.EXE

If present, the process is terminated and all files in the directory containing that executable are deleted, as well as all files within any subdirectories. If this action fails, the worm may create a WININIT.INI file to delete the files upon restart.

The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory to send itself to ICQ users. DLL calls are made which send the worm to ICQ contacts which are on-line. The worm also creates the file REMOTE32.INI and modifies the mIRC MIRC.INI file to use it. This causes the mIRC client to become an IRC bot, accepting instructions to initiate a Denial of Service attack from remote IRC users who are connected to the same channel. The script connects to the server "twisted.ma.us.dal.net" and joins the channel "#pentagonex". The user does not have to be knowingly connected to this server in order for this script to join this channel, they only have to start mIRC and the script will join this channel in the background.

Note that on WinNT based systems, the virus is visible in the task manager as "pentagone". Under the process tab it should be listed as "gone.scr".

Symptoms

- Presence of the GONE.SCR
- Presence of the REMOTE32.INI
- Users stating that you have sent them the virus, when you did not knowingly do so

Method of Infection

This mass-mailing worm sends itself to all users found in the Outlook Address Book using a plain text format. Therefore, the attachment does not start automatically when the user opens the message and does not get activated automatically when then Outlook preview pane if used.

Removal

All Windows Users :
Use current engine and DAT files for detection and removal.

Reinstall any security software that was deleted by the virus.

Click START | RUN, type "C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx\SCAN.EXE" /ADL /CLEAN [with the quotation marks], and hit ENTER
Then reinstall VirusScan.

Manual Removal Instructions (not required for McAfee users with current engine and DAT files )

WINDOWS 95/98/ME

Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
Click START | RUN, type COMMAND and hit ENTER
Type CD %WINDIR%\SYSTEM and hit ENTER
Type ATTRIB -h -s -r GONE.SCR and hit ENTER
(if File not found is returned then the virus is not active and you do not need to proceed with these instructions)
Type DEL GONE.SCR and hit ENTER
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
Click on C:\WINDOWS\SYSTEM\gone.scr in the DATA section on the right and hit DELETE on the keyboard
Click START | FIND | Files or Folders ...
Type REMOTE32.INI and hit ENTER
Delete REMOTE32.INI
Restart the computer

WINDOWS NT/2000/XP

Type CTRL-ALT-DEL at the same time
Choose TASK MANAGER and then choose the PROCESS tab
Locate the GONE.SCR process, click it, and choose END PROCESS
(if you can't find the process, then the virus is not active and you do not need to proceed with these instructions)
Click START | RUN, type CMD and hit ENTER
Type CD %WINDIR%\SYSTEM32 and hit ENTER
Type ATTRIB -h -s -r GONE.SCR and hit ENTER
Type DEL GONE.SCR and hit ENTER
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
Click on C:\WINNT\SYSTEM32\gone.scr in the DATA section on the right and hit DELETE on the keyboard
Click START | FIND | Files or Folders ...
Type REMOTE32.INI and hit ENTER
Delete REMOTE32.INI
Restart the computer

Additional Windows ME/XP removal considerations

Threat Detail