MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2001
Bookmark and Share

MA-038.122001: W32/GONER@MM Worm

Original Issue Date: December 5, 2002

1.Description

1.1 Overview

W32/GONER@MM is a destructive and memory-resident worm is Visual Basic-compiled Windows executable.

1.2 Systems Affected

All Windows Operating Systems English Language

1.3 Aliases

GONE.A
WORM_GONER.A
I-Worm.Goner
Gone

1.4 Limitation

This virus is only propagate via Microsoft Outlook client, and ICQ.

1.5 Payloads

1.5.1 Delete Files

Upon execution of the attachment, it first terminates files on the local machine hard drive. It then continues deleting these files. Among files infected by the virus are:

    IAMAPP.EXE
    IAMSERV.EXE
    CFINET.EXE
    APLICA32.EXE
    ZONEALARM.EXE
    ESAFE.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    CFINET32.EXE
    PCFWALLICON.EXE
    FRW.EXE
    VSHWIN32.EXE
    VSECOMR.EXE
    WEBSCANX.EXE
    AVCONSOL.EXE
    VSSTAT.EXE
    NAVAPW32.EXE
    NAVW32.EXE
    _AVP32.EXE
    _AVPCC.EXE
    _AVPM.EXE
    AVP32.EXE
    AVPCC.EXE
    AVPM.EXE
    AVP.EXE
    LOCKDOWN2000.EXE
    ICLOAD95.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICLOADNT.EXE
    ICSUPPNT.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    SAFEWEB.EXE

1.5.2 Display Message

Upon execution, it will also display message box entitled "About"

    pentagone
    coded by: suid
    texted by: ThE_SKuLL and |satan|
    greetings to: TraceWar, k9_unit, stef16 ^Reno
    greetings also to nonick2 out
    there where ever you are

 

2.Technical Details

2.1 Propagation via E-mail

It arrive via e-mail as an attachment GONE.SCR. It comes together with the message:

    Subject: Hi
    Message Body: How are you ?
    When I saw this screensaver, I immediately thought about you
    I am in a hurry, I promise you will love it!
    Attachment: GONE.SCR

"It continues by creating an Outlook Application Object, and uses MAPI script commands to create and send emails to all recipients found in the infected user's address book. Thereafter, it deletes these bogus emails from MS Outlook." - Trend Micro

2.2 Propagation via ICQ (Extracted from Trend Micro)

It uses mIRC to install a backdoor through scripts contained in the dropped REMOTE32.INI file. Instructions are then inserted into the user’s MIRC.INI file to load the dropped REMOTE32.INI. The Worm author can then use this worm extension to start Denial of Service (DoS) attacks on IRC channels, servers and/or users connected to the same IRC channel as the infected user. Clone users, with random names, are created by the worm to achieve this. Occasionally, these clones join the channel #pentagonex found on the server twisted.ma.us.dal.net.

The worm also propagates via the ICQ chat application. It uses the ICQAPI to send copies of itself to ICQ users" - Dec 4, 2001

Extracted from NAI
"The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory to send itself to ICQ users. DLL calls are made which send the worm to ICQ contacts which are on-line. The worm also creates the file REMOTE32.INI and modifies the mIRC SCRIPT.INI file to use it. This causes the mIRC client to become an IRC bot, accepting instructions to initiate a Denial of Service attack from remote IRC users who are connected to the same channel" - Dec 4, 2001

It will also display dialog box as "Error: Error While Analyze DirectX!"

2.3 Registry Effected (Extracted from Trend Micro)

It then continues performing worm activity and displays a bogus message box containing the text: “Error While Analyze DirectX!” It then drops a copy of the worm file to a %System%\GONE.SCR file. The worm copies itself into the WINDOWS SYSTEM folder and adds the following registry key to load itself at startup.

To prevent itself from detection, it may create an entry in WINNT.INI file that deletes files upon restart.

 

3. Possible Steps

3.1 Prevention

3.1.1 DO NOT execute any attachment appended with email and do not open any email attachments with the extensions mentioned as in 2.1.

3.1.2 Do not open any suspicious/unknown attachments and delete them immediately. Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus.

The list of known antivirus vendor can be found at:

3.1.3 Always run a virus scan on any downloadable files before executing it. It is advisable that your antivirus software is running in "Auto Protect Mode" at all time.

Refer to Safe Email Practices:

3.1.4 Large organisations are recommended to filter email attachments, block all email that have attachments with the extensions .scr attachments. It is also recommended to scan email at the gateway for virus.

3.2 Detection

Any antivirus with the latest virus definitions is able to detect the worm. To detect the virus, run an antivirus scan with the latest signature file on your system. Ensure the anti-virus is configured to scan ALL FILES, or if selected files, ensure the relevant extensions such as .SCR is included.

3.3 Removal

Automatic Removal
Symantec has provided a fixtool to remove this worm. Pls refer at:
http://securityresponse.symantec.com/avcenter/ venc/data/w32.goner.a@mm.removal.tool.html

Manual removal can be used if you are not yet update the signature/pattern. Please follow this instruction carefully.

Windows 9x/Me

  1. Reboot the computer.
  2. Before the startup logo appears, press F8 (to restart in safe mode).
  3. Choose the “Command prompt only” option.
  4. Go to the %System% directory. %System% is variable. It is usually located at:
      C:\Windows\System.
  5. At the command prompt, type the following command then hit the Enter key:
      attrib –s –h –r gone.scr
  6. Type the following command and then hit the Enter key to delete the Worm file:
      del gone.scr
  7. Open the registry file (Click Start - Run: type "regedit" with no quotes, and hit ENTER).
  8. Double click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run>%System%
  9. Look for the following registry entry and then delete it:
      gone.scr
  10. Locate and delete all files named REMOTE32.INI in your mIRC folders.
  11. Either delete or restore from backup the file MIRC.INI.

Windows NT/2000

  1. Type CTRL-ALT-DEL at the same time
  2. Choose TASK MANAGER and then choose the PROCESS tab
  3. Locate the GONE.SCR or PENTAGONE process, click it, and choose END PROCESS (if you can't find the process, then the virus is not active and you do not need to proceed with these instructions)
  4. Click START | RUN, type CMD and hit ENTER
  5. Type CD %WINDIR%\SYSTEM32 and hit ENTER
  6. Type ATTRIB -h -s -r GONE.SCR and hit ENTER
  7. Type DEL GONE.SCR and hit ENTER
  8. Click START | RUN, type REGEDIT and hit ENTER
  9. Go to HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT> WINDOWS>CURRENTVERSION
  10. Click RUN
  11. Click on C:\WINNT\SYSTEM32\gone.scr in the DATA section on the right and hit DELETE on the keyboard
  12. Click START | FIND | Files or Folders ...
  13. Type REMOTE32.INI and hit ENTER
  14. Delete REMOTE32.INI
  15. .Restart the computer

 

4. Detail Information

4.1 Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GONER.A

4.2 NAI
http://vil.nai.com/vil/content/v_99272.htm

4.3 Symantec
http://www.sarc.com/avcenter/venc/data/w32.goner.a@mm.html