Security

'Gone' worm continues destructive march

A serious new virus called the "Goner" worm has been spreading rapidly and infecting multiple corporate and home PCs this week. In some cases, it has even been removing antivirus and security software. Here are the details.


The latest e-mail transmitted worm, known by various names including “Gone,” “Pentagone,” and “Goner,” specifically targets firewall and antivirus software installed on the systems it infects. The usual suspects—Outlook, Visual Basic, and ICQ instant messaging—are once again responsible for a major Internet threat, and your files could be a “goner” if you open up the GONE.SCR attachment that is currently spreading rapidly around the world.

Details
Technically known as W32/Gone.A, Gone is a very dangerous worm, which Newsbytes’ London Bureau Chief Steve Gold reported on Dec. 4 as having originated in France or Germany. By Tuesday evening, the worm had infected enough machines to pop up on the radar of mainstream media outlets and was briefly mentioned on TV news reports.

The subject line of the Gone worm’s attachment reads “Hi,” and the message describes the attachment as a screen shot. If you open the attachment, the worm spreads itself using addresses from the infected machine’s Outlook address book and, according to an early report on antivirus firm Central Command’s Web site, displays two images. One is a fake error message while the other is apparently a signature with the identification “pentagone” at the top and “coded by suid.” Incidents.org (SANS) reports that the Gone.scr attachment is 38,912 bytes long.

Infected Windows systems will carry the new registry entry.

F-Secure, which was one of the first antivirus vendors to identify and post information on the worm, reports that the fake error message displayed when you open Gone reads “Error While Analyze DirectX.”

CNET describes Goner as a typical script kiddie attack and gives it a relatively high risk rating. McAfee also rates the Gone worm as a “high risk” infection being reported by corporations. CERT has posted information on Goner in incident report IN-2001-15. As of Wednesday morning, many antivirus companies had updated their software to block and remove the worm, which was continuing to infect computers in Europe.

Damage
The F-Secure Web page describing Gone lists more than 30 processes terminated on infected computers. After stopping the programs, the Gone worm then attempts to delete all files in the directories and subdirectories where it located the tasks, which range from ZONEALARM.EXE to SAFEWEB.EXE. The programs attacked by Gone all appear to be security related; therefore, Gone can compromise systems by leaving them open to other attacks.

If the worm is blocked from deleting the files, it plants a sleeper command in WININIT.INI that will attempt to delete them the next time Windows is started.

Mitigation
The only mitigating factor is that, whether they get an instant message or are e-mailed the attachment, users must still open the attachment to catch the infection. Merely reading the opening text won’t infect a machine.

Of course, anyone following the most basic security practices—which should always include a refusal to open any unexpected attachments from anyone, even trusted sources—would simply delete this worm before it had a chance to infect their systems.

Although Gone is spreading rapidly, I haven’t yet seen any reports of denial of service events due to a large volume of messages generated by it. This may be due to the fact that the payload is relatively small.

However, unlike some worms, Goner doesn’t appear to limit itself as to the number of addresses it captures from Outlook, so a few unlucky individuals could find their mailboxes filled with Gone-linked messages. And DoS reports could emerge as the infection spreads.

Have you been hit by the Goner worm?
We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion.

 

Editor's Picks

Free Newsletters, In your Inbox