Goner Finds Users Napping

The Goner worm that tore through corporate networks last week is just the latest evidence that virus writers and crackers are growing ever more skillful. While its infection method is unremarkable and reminiscent of previous mass-mailing worms, Goners destructive payload deletes anti-virus files and installs a distributed-denial-of-service client on infected machines. Such blended threats, as theyre called, are the unfortunate result of the tools readily available on the Internet.

“This is one more step in the evolution of viruses,” said Steve Trilling, director of research for Symantec Corp.s Security Response center, in Cupertino, Calif. “Were going to see more and more blended threats.”

Goner began showing up in the United States early last week and spread rapidly for the next several days. By the end of the week, MessageLabs Ltd. reported stopping more than 100,000 copies of the worm.

The mass-mailing worm was first spotted in Europe and later spread in the United States.

Goner spreads via Microsoft Corp.s Outlook e-mail client as well as through the popular ICQ chat network, said anti-virus officials at Computer Associates International Inc.

Goner arrives with a subject line of “Hi” and an attachment labeled Gone.scr. The body of the message reads: “How are you? When I saw this screen saver, I immediately thought about you I am in a harry [sic], I promise you will love it!”

CA officials said more than 20 CA customers have reported seeing the virus, which was first spotted by the staff of the companys German lab.

The worm spread rapidly in the United States, with dozens of companies reporting infections. McAfee.com Corp. reported that when executed, the worms attachment copies itself to the machines registry so it will start on boot-up.

In addition, the worm attempts to delete a number of files, including anti-virus and firewall programs and several security tools. McAfee has given the worm its highest risk rating.

Because the worm deletes anti-virus files, some users may find themselves powerless against Goner.

“Goner is one of the most incredibly fast-moving and potentially dangerous e-mail viruses weve seen,” said Mark Sunner, chief technology officer of MessageLabs, in London. “From what weve observed, Goner tries to disable the local AV/firewall settings, so anyone using traditional desktop gateway solutions who attempts to download the signature patch may find that their software has been shut down. In order to get it back again, it will need to be reinstalled.”

“Its still amazing to see environments are allowing in things that have no business value like screen savers,” said Ian Hameroff, business manager for security solutions at CA, based in Islandia, N.Y.