Tuesday, December 7, 2021

Goner worm spreads, tries to delete firewalls

A new high-risk worm, called “Goner,” which attempts to delete a number of program files on infected computers, including firewall applications, spread quickly on Tuesday, according to several anti-virus firms.

The worm spreads by way of an attachment sent to users of Microsoft Corp.’s e-mail programs Microsoft Outlook and Outlook Express, and, in a change from the usual worm formula, also through the chat application ICQ, according to vendors of anti-virus products including McAfee.com Corp., Computer Associates International Inc. and Trend Micro Inc.

Goner does not exploit any security vulnerabilities like the recent Badtrans worm, but instead must have its attachment double-clicked in order to be launched, said April Goostree, virus research manager at McAfee.com.

Goner appears in user’s in-boxes as an e-mail with the subject line “Hi.” The body of the message reads, “How are you? When I saw this screen saver, I immediately thought about you … I am in a harry [sic], I promise you will love it!” The mail also includes an attachment called Gone.SCR, which appears to be a screensaver.

When the attachment is double-clicked, the worm sends itself to everyone listed in the victim computer’s address book, the anti-virus companies said. Goner also tries to spread through the ICQ chat program, sending a copy of itself to all online users, Trend Micro said in its Web site. The worm installs a back door program that is activated whenever the mIRC chat application is launched and that can be used in denial of service attacks, Trend Micro said. After double-clicking on the attachment, a window also pops up, which includes credits for the virus’ writer and its testers.

After launch, Goner attempts to locate and delete a number of programs, including security programs like Zone Labs Inc.’s ZoneAlarm firewall application, McAfee.com’s Goostree said. Other files it attempts to delete include anti-virus programs from Symantec Corp. and Kaspersky Labs Ltd., and security applications from Lockdown Corp. and SafeWeb Inc., according to both McAfee.com and Trend Micro.

The number of users infected with Goner is already “very, very large,” Goostree said, although she did not have an exact number available.

“I would imagine you’re going to see corporations shutting down their mail servers” to deal with the worm, she said.

Users are advised to update their virus definitions, visit the Web site of their anti-virus provider and not open unexpected attachments.

McAfee.com Corp., in Sunnyvale, Calif., is at http://www.mcafee.com. Trend Micro, in Cupertino, Calif., is at http://www.antivirus.com/.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News