If you open the latest virus making the rounds Tuesday, your computer's antivirus system could be a goner. The infected machine may also be left open to a hacker backdoor.
McAfee and other antivirus software vendors say the W32.Goner.A@mm or "Goner" virus is beginning to spread as quickly as the Love Letter virus, which clogged e-mail system last year. "We see it as serious outbreak," says Ryan McGee, marketing manager for McAfee, a division of Network Associates "Infection reports from our customer base are comparable and surpassing the numbers for the BadTrans outbreak on the first day."
The Goner virus is disguised as a screensaver that comes attached to an e-mail message. When the recipient opens the attachment, the virus activates and seeks out any locally installed antivirus and personal firewall software. It then attempts to erase all the files in the directory where the software is installed.
The backdoor is a mIRC script that leaves the system open to access by hackers that know the infected machine's IP (Internet Protocol) address. Goner appends information to the script.ini file that is normally used by the mIRC chat program. The appended information points to a new file called remote32.ini, which is designed to cause a denial-of-service attack against other mIRC clients. Fortunately, the code does not work as intended, McGee says. Also, the chance of a hacker finding the IP address of an infected machine is slim.
Goner spreads by e-mailing itself to every user listed in an Outlook address book on the infected machine and possibly via IRC and ICQ chat applications, says Ian Hameroff, business manager for security solutions at Computer Associates (CA). The virus may not be that successful in deleting an application's files because it is not an uninstall program, it just attempts a delete command. "The success depends on permissions setting and other environmental issues," Hameroff says.
The infecting e-mail comes with a subject line of "hi" and an attachment called "gone.scr." The body of the message says:
How are you ?
When I saw this screen saver, I immediately thought about you.
I am in a harry, I promise you will love it!
Computer Associates began receiving reports of the virus from European customers early this morning and later in the U.S. All the major virus vendors, including CA, McAfee, Symantec and Sophos are posting new definition files to fend off the Goner threat. Computer Associates has posted more information on the virus here.