IT Employment

General discussion


Have you been hit by the "Goner" worm?

By jasonhiner Moderator ·
Another new virus is spreading across the Internet. This one is referred to as the "Goner" worm (also GONE.A, WORM_GONER.A, I-Worm.Goner, Gone, or W32/Goner@MM). This one can do some serious damage and it is listed as "high risk" by a number of major anti-virus vendors. Have you been hit?

For more info, see:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

In a word: No

by James R Linn In reply to Have you been hit by the ...

We have multiple layers of anti-virus protection. All of our layers had the right signature file to defeat this one.


Collapse -

It was caught

by datechguy In reply to In a word: No

We also 'caught' it as it came in on the Exchange server. Yet, what worries me is the Proxy and Terminal Server, which both have BlackIce on them. I read the description of the it at, and I was told by a colleague that this virus hasthe ability to shut BlackIce down. Whch goes to show that you need more than one form of anti-virus software on your boxes esposed to the world.

Collapse -

Not Exactly

by Jon P In reply to It was caught

Black Ice is a nice piece of kit for the home user, but there's NO WAY I'd trust it on a commecial machine such as a Terminal Server or a Proxy Server.

Neither of these machines should be directly attached to the internet, I think that you shouldseriously consider spending a few hundred bucks on a firewall and consider some kind of mail sweeper SMTP gateway.

This worm WOULD be able to shut down an unprotected machine, you should patch Outlook on the terminal server, and the proxy server couldn't get hit by this virus if a) no-one maps any drives to that machine, and b) No-one uses any e-mail software on it. This is an "e-mail" worm, meaning that it can't infect a machine in the way Code Red did, you have to actively click on the attachment to get the worm going.

You've got and Exchange server, a Terminal server and a Proxy server, I'd hate to think that these machines are serving a network where the only protection from the internet is a Proxy server, this does a reasonable job for what it does, but it is NOT a firewall. The price of Firewalls has dropped recently, protect your investment, (And your job!) MimeSweeper, which is what I use for an SMTP gatekeeper will sit on an exchange box in a small network (but if you go for more than 25 users then get a separate box) it runs on NT workstation, and it can be independant of a domain, and stop all those nasties at the door!

Collapse -


by radiic In reply to Have you been hit by the ...

I use trend micro AV. The company that you have the link for the virus info. My site gets updated every morning at 7:00 which updates all my servers,exchange servers, and workstations automatically. Well since there pattern file wasnt released until 7:44 this morning, all I had to do was loginto my ant virus server and click one button which updated my entire network and whammm I was protected. Thank god for Trend...I still sing there praises, and after today even more.


Collapse -

Hey rad... not for nothing but

by LordInfidel In reply to Nope

Are you able to block extensions in micro av?

If so, try using my method of extension blocking. I basically never have to worry about updating my definitions.

The bad guys can throw a million brand new vbs viruses at my network and they will never get thru. Even with 2 year old virus definitions.

Blocking extensions in my opinion is the only way to safeguard your network with the least amount of work and maintenance.

Just my thoughts

Collapse -

Yes it can BUT i have to update my

by radiic In reply to Hey rad... not for nothin ...

store.exe in order to turn on the advanced mapi functions. Since i am the only one in the IT department that one keeps moving on the list of things to do. But I still no fear cause Trend is Great.


Collapse -

Update... You will be glad you did

by LordInfidel In reply to Yes it can BUT i have to ...

I'm telling ya.... Once it is working you can just sit back and relax every time some idiot comes out with a new virus.

I used to have to baby sit our virus posture. Always being on the defensive.

Now I breath easy and can work on other things without having to worry about a nasty slipping thru because my definitions did'nt catch it.

Just an suggestion from one admin to another.

Collapse -

by jluster In reply to Update... You will be gla ...

"I'm telling ya.... Once it is working you can just sit back and relax every time some idiot comes out with a new virus."

So all you do is lean back and wait until the next big ActiveX/Java/OE/Outlook/HTML exploit hits your systems, this time with something more sophisticated than just a .scr.pif and hits you? Extension blocking might be nice as ONE layer of defense, but to sell this as THE solution is a bit careless, don't you think?

Collapse -

You need to define exploit vs virus

by LordInfidel In reply to

They are 2 different things.

While A virus writer might use a new exploit to carry out his evil deed.

His delivery method still has to be employed via a e-mail attachment.

By blanket blocking attachments, you are essentially stopping futureviruses.

So lets say a virus writer comes up with a new virus that exploits a hole in Outlook that was just discovered an hour ago. And that virus writer packages the virus as a vbs script.

It is fair to say that any attempts to send a vbs script into my network will be blocked because I do not all vbs files thru e-mail. Hence effectively blocking the attack.

This method is commonly used in firewalling. I have just employed it to e-mail.

In firewalling, you only allow in want youwant. If there is a new exploit that uses tftp and you don't allow tftp in, then you will not be affected. Same principal.

Take a look at the following url for all of the extensions that I block: basically have gone thru my system directories and selected every known file extension that can be used by the system and blocked it. With some exeptions of course that my users need to accomplosh their day to day jobs.

And yes, I do sit back and wait. And since my network has not been taken down in over 2 years, I beleive my method works. It is just one layer of defense that I employ. But it is a big part of it when it comes to e-mail borne attacks.

Collapse -

That's an interesting POV

by Jon P In reply to You need to define exploi ...

Since you've taken it upon yourself to burn everyone who has tried to help you, I'm not going to bother, ignorant Admins who think that their solution is "the" solution are the cause of the proliferation of viri such as Code Red.

I don't doubt that by blocking "every known extention" you are able to keep the wolf from the door as far as blocking VBS goes, but you're a virus writers dream come true, Visual Basic Script is just one way of hacking your system, but just by sending your users a spam mail saying "come and look at my site" and then exploiting an explorer "hole".

Read any security book (I'd suggest "Hacking Exposed") and you'll see how poor your defenses are, I wouldn't keep my money in a bank where the only security is to check the bags that are attached to the people coming in through the front door, which is what you're suggesting people do, I'd want safes, glass walls between the people and the cashiers, panic buttons, alarms and everything else that goes with Secure Banks today, because otherwise, the moment someone gets round your defence, you're stuffed! (For example by sending your user a virus in a zipped file, or are you giong to block .zip extentions as well?)

I'd really hate to be a user on your network, they're so tied up with pointless security. They probably have a hard time doing anything on your network because you're too focussed one kind of defence to look at the alternatives that may make your users lives easier.

Related Discussions

Related Forums