Original Issue Date: December 5, 2002
W32/GONER@MM is a destructive and memory-resident worm is Visual Basic-compiled Windows executable.
1.2 Systems Affected
All Windows Operating Systems English Language
This virus is only propagate via Microsoft Outlook client, and ICQ.
1.5.1 Delete Files
Upon execution of the attachment, it first terminates files on the local machine hard drive. It then continues deleting these files. Among files infected by the virus are:
1.5.2 Display Message
Upon execution, it will also display message box entitled "About"
coded by: suid
texted by: ThE_SKuLL and |satan|
greetings to: TraceWar, k9_unit, stef16 ^Reno
greetings also to nonick2 out
there where ever you are
2.1 Propagation via E-mail
It arrive via e-mail as an attachment GONE.SCR. It comes together with the message:
Message Body: How are you ?
When I saw this screensaver, I immediately thought about you
I am in a hurry, I promise you will love it!
"It continues by creating an Outlook Application Object, and uses MAPI script commands to create and send emails to all recipients found in the infected user's address book. Thereafter, it deletes these bogus emails from MS Outlook." - Trend Micro
2.2 Propagation via ICQ (Extracted from Trend Micro)
It uses mIRC to install a backdoor through scripts contained in the dropped REMOTE32.INI file. Instructions are then inserted into the user’s MIRC.INI file to load the dropped REMOTE32.INI. The Worm author can then use this worm extension to start Denial of Service (DoS) attacks on IRC channels, servers and/or users connected to the same IRC channel as the infected user. Clone users, with random names, are created by the worm to achieve this. Occasionally, these clones join the channel #pentagonex found on the server twisted.ma.us.dal.net.
The worm also propagates via the ICQ chat application. It uses the ICQAPI to send copies of itself to ICQ users" - Dec 4, 2001
Extracted from NAI
"The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory to send itself to ICQ users. DLL calls are made which send the worm to ICQ contacts which are on-line. The worm also creates the file REMOTE32.INI and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC client to become an IRC bot, accepting instructions to initiate a Denial of Service attack from remote IRC users who are connected to the same channel" - Dec 4, 2001
It will also display dialog box as "Error: Error While Analyze DirectX!"
2.3 Registry Effected (Extracted from Trend Micro)
It then continues performing worm activity and displays a bogus message box containing the text: “Error While Analyze DirectX!” It then drops a copy of the worm file to a %System%\GONE.SCR file. The worm copies itself into the WINDOWS SYSTEM folder and adds the following registry key to load itself at startup.
To prevent itself from detection, it may create an entry in WINNT.INI file that deletes files upon restart.
3. Possible Steps
3.1.1 DO NOT execute any attachment appended with email and do not open any email attachments with the extensions mentioned as in 2.1.
3.1.2 Do not open any suspicious/unknown attachments and delete them immediately. Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus.
The list of known antivirus vendor can be found at:
3.1.3 Always run a virus scan on any downloadable files before executing it. It is advisable that your antivirus software is running in "Auto Protect Mode" at all time.
Refer to Safe Email Practices:
3.1.4 Large organisations are recommended to filter email attachments, block all email that have attachments with the extensions .scr attachments. It is also recommended to scan email at the gateway for virus.
Any antivirus with the latest virus definitions is able to detect the worm. To detect the virus, run an antivirus scan with the latest signature file on your system. Ensure the anti-virus is configured to scan ALL FILES, or if selected files, ensure the relevant extensions such as .SCR is included.
Symantec has provided a fixtool to remove this worm. Pls refer at:
Manual removal can be used if you are not yet update the signature/pattern. Please follow this instruction carefully.
- Reboot the computer.
- Before the startup logo appears, press F8 (to restart in safe mode).
- Choose the “Command prompt only” option.
- Go to the %System% directory. %System% is variable. It is usually located at:
- At the command prompt, type the following command then hit the Enter key:
- Type the following command and then hit the Enter key to delete the Worm file:
- Open the registry file (Click Start - Run: type "regedit" with no quotes, and hit ENTER).
- Double click the following:
- Look for the following registry entry and then delete it:
- Locate and delete all files named REMOTE32.INI in your mIRC folders.
- Either delete or restore from backup the file MIRC.INI.
- Type CTRL-ALT-DEL at the same time
- Choose TASK MANAGER and then choose the PROCESS tab
- Locate the GONE.SCR or PENTAGONE process, click it, and choose END PROCESS (if you can't find the process, then the virus is not active and you do not need to proceed with these instructions)
- Click START | RUN, type CMD and hit ENTER
- Type CD %WINDIR%\SYSTEM32 and hit ENTER
- Type ATTRIB -h -s -r GONE.SCR and hit ENTER
- Type DEL GONE.SCR and hit ENTER
- Click START | RUN, type REGEDIT and hit ENTER
- Go to HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT> WINDOWS>CURRENTVERSION
- Click RUN
- Click on C:\WINNT\SYSTEM32\gone.scr in the DATA section on the right and hit DELETE on the keyboard
- Click START | FIND | Files or Folders ...
- Type REMOTE32.INI and hit ENTER
- Delete REMOTE32.INI
- .Restart the computer
4. Detail Information
4.1 Trend Micro