Email-Worm.Win32.Goner or Goner is a email worm that runs on Windows 32-bit OS.
Goner is a mass-mailer written in Visual Basic. It was found on December 4th, 2001. The worm spreads itself using Outlook e-mail messages as GONE.SCR attachment. It also spreads through ICQ Instant Messanger if it's installed on an infected computer. It also drops a few scripts to MIRC client directory. These scripts can be used to flood certain IRC chat channels. Goner also tries to delete security programs, such as firewalls and anti-virus programs from the system. Although this sounds serious, it doesn't actually help the spreading of the virus much: the virus can only delete security programs if it is able to execute itself; thus the security program was not able to stop Goner anyway, and deleting such programs doesn't help the virus. This technique does make the system more vulnerable to OTHER viruses and threats, though. The worm is a PE EXE file about 39 kilobytes long, it is packed with UPX file compressor. The worm's unpacked file is about 145 kilobytes long. When the worm's file is run, it shows a dialog box with greetings and some animation. This is done to disguise itself. Then it shows a messagebox with a fake error message:
The worm copies itself as GONE.SCR to Windows System folder and tries to creates its startup key in the Registry. The worm runs as a service process, so its task is not visible in Task Manager. To spread itself the worm connects to Outlook Address Book, reads e-mail addresses from it and sends itself to all these addresses. The infected message looks like that:
- Subject: Hi
- How are you ?
- When I saw this screen saver, I immediately thought about you
- I am in a harry, I promise you will love it!
The worm also attempts to send itself through ICQ if it is installed on an infected computer. It uses a standard ICQ component to send out its file. The worm sends file transfer request to a contact of an infected user who appears to be on-line (in any mode) and if that person approves file transfer, the worm sends its file to that person. This way all ICQ contacts of an infected user will get the worm. The worm looks for and terminates the following processes:
APLICA32.EXE, ZONEALARM.EXE, ESAFE.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET32.EXE, CFINET.EXE, IAMSERV.EXE, IAMAPP.EXE, PCFWallIcon.EXE, FRW.EXE, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOL.EXE, VSSTAT.EXE, NAVAPW32.EXE, NAVW32.EXE, _AVP32.EXE _AVPCC.EXE, _AVPM.EXE, AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, LOCKDOWN2000.EXE, ICLOAD95.EXE, ICMON.EXE, ICSUPP95.EXE, ICLOADNT.EXE, ICSUPPNT.EXE, TDS2-98.EXE, TDS2-NT.EXE and SAFEWEB.EXE.
The worm deletes all files in the directory and all subdirectories where the file (which task was killed) is located. If deletion fails, the worm creates WININIT.INI file that will delete these files on next Windows startup. The worm also tries to delete C:\SAFEWEB\ folder.