Date: Tue, 4 Dec 2001 23:38:47 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Goner Worm ---------------------------------------------------------- GONER WORM SPREADING RAPIDLY, DISABLES ANTI-VIRUS PROGRAMS ---------------------------------------------------------- The Goner Worm (also known as W32.Goner@mm, W32.Goner.A@mm, I-Worm.Goner, Gone, and Pentagone) was first detected on December 4 and is spreading rapidly. It is considered dangerous because when it infects a PC it searches for and deletes files associated with the most commonly used anti-virus programs and personal firewalls. This disables anti-virus and firewall protection on the infected PC, making it vulnerable to more serious viruses, worms, and other forms of attack. In addition, if the mIRC Internet Relay Chat client is installed on the infected PC, the Goner Worm installs several scripts in the mIRC client directory. These scripts cause the infected PC to use mIRC to initiate denial of service attacks against certain IRC chat channels. The Goner Worm spreads from an infected PC via two methods: VIA E-MAIL: The Goner Worm looks for an Outlook or Outlook Express address book on the infected PC. If one is found, Goner sends an infected message to all addresses found in it. The infected message has the following characteristics: SUBJECT: Hi FILE ATTACHMENT: GONE.SCR MESSAGE TEXT: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! It is the file attachment "GONE.SCR", disguised as a screen saver, that carries the infection. If the recipient opens the file, his/her PC will become infected. If you receive e-mail with the above characteristics, do not open the file attachment! VIA ICQ: If ICQ is installed on an infected computer, the Goner Worm sends an ICQ file transfer request to any ICQ contact who is on line in any mode. If the contact approves file transfer, the worm sends the infected file "GONE.SCR" to that person. If the recipient opens the file, his/her PC will become infected. If you are an ICQ user, and if you are offered a file named "GONE.SCR", do not accept it. If you do accept it, do not open it. See the following URLs for more information about the Goner Worm: http://www.F-Secure.com/v-descs/goner.shtml http://www.mcafee.com/anti-virus/viruses/Goner/default.asp http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html Only PCs with Outlook, Outlook Express, or ICQ can spread the Goner Worm to other PCs. However any PC can be infected if the recipient intentionally opens the file "GONE.SCR" received as an e-mail file attachment or received via an ICQ file transfer. The Goner Worm cannot infect Macintosh or UNIX computers. If you receive a Goner-infected e-mail or an ICQ invitation to accept a Goner-infected file, keep in mind that the apparent sender did not send it intentionally. Goner sends out its infected e-mail and makes it's ICQ connections without the knowledge of the owner of the infected PC. The PC owner is not guilty of maliciously spreading a virus. He or she is guilty only of very foolishly opening an unexpected and unknown file attachment or accepting an unknown file via ICQ. NEVER open an unexpected e-mail file attachment, and never accept an unknown file via ICQ, even if it appears to be from someone you know. If in doubt, before opening the file get in touch with the apparent sender to verify that he/she really meant to send the file. We recommend that anti-virus software be installed all PCs connected to the Internet. Once installed, its scanning engine and its virus description database MUST be kept up to date. Otherwise the anti-virus software will not be able to detect and clean new viruses. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091