'Goner' E-mail Worm Rated Highest Risk

A brand new worm is getting passed by Microsoft Outlook home and businesses users and is so bad it has the potential of wiping out complete files. We offer the latest information.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

A brand new worm slithering through the Web is getting passed by Microsoft Outlook home and businesses users and is so bad it has the potential of wiping out complete files.

Anti-virus experts at McAfee.com (NASDAQ:MCAF) identified the worm early Tuesday morning and have named it "Goner" after its identification string W32/Goner@MM. The company assessed the virus as a HIGH risk - it's most serious rating.

Compared to other well known computer infections such as NIMDA, Code Red, Melissa and ILOVEYOU, McAfee says this is pretty serious stuff.

"Goner" Virus Resources
Here are some sites to go for up-to-date information on the virus.

McAfee, which offers virus description, methods of infection and information for removal

Symantic , which also offers technical information about the virus

"To coin a phrase from Star Trek - this is certainly an attempt to bring down the shields," says McAfee Security Architect Sam Curry. "It has the potential to be as destructive as the others, but it's still too early in the game and we won't see the full impact of this worm for some time. Unlike the Anna Kournikova virus that did one thing, this one is a hybrid virus that does a few things like deleting firewall and anti-virus files."

Curry says that like many other e-mail-based infections, the worm is expected to spread further at the times when people are checking their e-mail - early in the morning, at lunch and when they get home from work.

This mass-mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It can also use the instant messaging platform ICQ to spread as well. The worm arrives in an e-mail message contains the subject "Hi" with a short message in the body.

How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

Sunnyvale, Calif.-based McAfee's AVERT team says to the worm won't activate until you open the attachment:


The payload, if activated, can delete files from users' computers. The "Goner" worm then e-mails itself to every e-mail address contained in the user's address book.

Running this attachment infects the local system and not the network. When run, the worm displays a message box entitled; "About" and after a short time another window entitled "Error" is displayed.

The worm then copies itself into SYSTEM32 in the %WinDir% folder and adds the following registry key in order to get started upon boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\C:\%WINDIR%\SYSTEM32\gone.scr=C:\%WINDIR%\SYSTEM32\gone.scr

The new "Goner" worm comes quickly on the heels of the recent "Badtrans" Internet worm variant.

Both viruses affect users of Microsoft Outlook, although the "Goner" worm appears to target various firewall and anti-virus files for deletion.

And because of the multi-layered aspects of the worm, Curry suspects that this is more the work of crackers than of regular hackers.

This story first appeared on Siliconvalley.internet.com, an internet.com site.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.