ARN

Goner virus spreading quickly

If you open the latest virus making the rounds Tuesday, your computer's antivirus system could be a goner. The infected machine may also be left open to a hacker backdoor.

McAfee and other antivirus software vendors say the W32.Goner.A@mm or "Goner" virus is beginning to spread as quickly as the Love Letter virus, which clogged e-mail system last year. "We see it as serious outbreak," says Ryan McGee, marketing manager for McAfee, a division of Network Associates "Infection reports from our customer base are comparable and surpassing the numbers for the BadTrans outbreak on the first day."

The Goner virus is disguised as a screensaver that comes attached to an e-mail message. When the recipient opens the attachment, the virus activates and seeks out any locally installed antivirus and personal firewall software. It then attempts to erase all the files in the directory where the software is installed.

The backdoor is a mIRC script that leaves the system open to access by hackers that know the infected machine's IP (Internet Protocol) address. Goner appends information to the script.ini file that is normally used by the mIRC chat program. The appended information points to a new file called remote32.ini, which is designed to cause a denial-of-service attack against other mIRC clients. Fortunately, the code does not work as intended, McGee says. Also, the chance of a hacker finding the IP address of an infected machine is slim.

Goner spreads by e-mailing itself to every user listed in an Outlook address book on the infected machine and possibly via IRC and ICQ chat applications, says Ian Hameroff, business manager for security solutions at Computer Associates (CA). The virus may not be that successful in deleting an application's files because it is not an uninstall program, it just attempts a delete command. "The success depends on permissions setting and other environmental issues," Hameroff says.

The infecting e-mail comes with a subject line of "hi" and an attachment called "gone.scr." The body of the message says:

How are you ?

When I saw this screen saver, I immediately thought about you.

I am in a harry, I promise you will love it!

Computer Associates began receiving reports of the virus from European customers early this morning and later in the U.S. All the major virus vendors, including CA, McAfee, Symantec and Sophos are posting new definition files to fend off the Goner threat. Computer Associates has posted more information on the virus here.

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

More about: CA Technologies, Goner virus, ICQ, McAfee, Promise, Sophos, Symantec, VIA

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
ARN Directory | Distributors relevant to this article
Anyware Corporation , Aquion , ASI Solutions , Dicker Data , Express Data , Express Online , Fortune Tec , Impact Systems Technology , Leader Computers , Lynx Technologies , Topstar Computer International , Westcon Group , Xpress I.T.
ARN Directory | Vendors relevant to this article
CA , Sophos , Symantec
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/aca-pacific/439_qlogic-reseller-promotion-bonuses-on-hba-and-s
ACA Pacific

QLogic Reseller Promotion. Bonuses on HBA and Switch Purchases. Ends June 30th, 2012

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.