Goner Virus Starts Making the Rounds

The Goner worm that tore through corporate networks last week is simply one more bit of evidence that virus writers and crackers are growing ever more skillful and adept at their crafts, security experts said.

While its infection method is unremarkable and reminiscent of numerous previous mass-mailing worms, Goner carries a destructive payload that not only deletes anti-virus files but also installs a DDoS client on infected machines. Such blended threats, as theyre called, are the unfortunate result of the ready availability of malware programs on the Internet and will become more and more prevalent in the future.

“This is one more step in the evolution of viruses,” said Steve Trilling, director of research Symantec Corp.s Security Response center in Cupertino, Calif. “Were going to see more and more blended threats.”

Goner began showing up in the United States on Tuesday and spread rapidly for the next several days. As of midday Thursday, MessageLabs Ltd., a U.K.-based virus-tracking firm, reported stopping more than 93,000 copies of the worm.

Known as W32/Goner.A, the virus spreads via Microsoft Corp.s Outlook e-mail client and is also showing some indications of propagating through the popular ICQ chat network, according to anti-virus officials at Computer Associates International Inc.

The worm also tries to install a DDoS client on infected machines via IRC (Internet relay chat). IRC is a popular IM-type program used extensively by hackers, especially DDoS attackers, who use it to control their zombies.

The virus arrives with a subject line of “Hi” and an attachment labeled Gone.scr. The body of the message reads: “How are you? When I saw this screen saver, I immediately thought about you I am in a harry [sic], I promise you will love it!”

CA has assigned Goner a medium to high risk rating. Officials say more than 20 of their customers have reported seeing the virus, which was first spotted by the staff of their German lab.

The worm is now spreading rapidly in the United States, with dozens of companies reporting infections. McAfee.com reports that when executed, the worms attachment copies itself to the machines registry so it will start on bootup. Also, the worm attempts to delete a number of files, including anti-virus and firewall programs and several security tools. McAfee has given the worm its highest risk rating.

Goner was spreading Tuesday afternoon through both corporate networks and home PCs, anti-virus companies said.

Because the worm deletes anti-virus files, some users may find themselves powerless against Goner.

“Goner is one of the most incredibly fast-moving and potentially dangerous e-mail viruses weve seen,” said Mark Sunner, CTO of MessageLabs. “From what weve observed, Goner tries to disable the local AV/firewall settings, so anyone using traditional desktop gateway solutions who attempts to download the signature patch, may find that their software has been shut down. In order to get it back again, it will need to be reinstalled.”

“Its still amazing to see environments are allowing in things that have no business value like screen savers,” said Ian Hameroff, business manager for security solutions at CA, based in Islandia, N.Y.