Goner worm fails to impact Asian users

The Goner worm which began circulating in Europe Tuesday has had limited impact in Asia, according to anti-virus vendors and specialist response teams in the region.

“We have seen a certain level of activity, but few reports of infections among our members,” said Kathryn Kerr, threat assessment manager at Australia’s Computer Emergency Response Team (AusCERT).

The W32.Goner.A@mm or Goner worm is disguised as a screensaver that comes attached to an email message. When the recipient opens the attachment, the worm activates and seeks out any locally installed anti-virus and personal firewall software. It then attempts to erase all the files in the directory where the software is installed. It can also spread through file attachments sent by instant messaging systems.

The reason for the low infection level is a combination of growing end-user awareness of the potential damage worms and viruses can cause, and because Goner is a fairly straightforward worm that only starts up if a user opens an email attachment, according to Kerr.

“Users are more aware and more cautious now, but there is still a certain percentage of people who fall for these things,” Kerr said.

In Singapore and Malaysia, fewer than five customers have made inquiries about the worm to security vendor Symantec Corp., according to spokeswoman Teresa Wong.

On the downside, the payload is quite damaging as one of the worm’s primary tasks is to disable a computer’s anti-virus and firewall protection.

“It can damage systems if users wait (to eliminate it) as the payload can damage existing anti-virus software and let other worms or viruses attack,” said Kerr.

Symantec has given the worm a Category 4 (severe) rating because of its ability to spread quickly and its potentially damaging payload.

Kerr said that AusCERT was first informed about the worm from the United Kingdom, but the exact origins of the worm remain unknown, as in most other worm and virus cases recently.

“There have been some investigations in previous cases, but it is quite difficult to find out where viruses come from,” said Kerr.

Security vendor Trend Micro Inc. said it believed the worm began spreading in France, and that the chief danger was for users who underestimate the potential threat.

“Some people have the idea that viruses are big and dramatic, so they intentionally download viruses, and click on them because they want to see what it is capable of doing,” said David Perry, Trend Micro’s global director of education. “Many people who clicked on Goner, wanted to see the screensaver. Some of them even after they know it’s a virus still want to see it.”

– Stephanie Sim, in Hong Kong, contributed to this report.