'Goner' E-mail Worm Rated Highest Risk

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A brand new worm slithering through the Web is getting passed by Microsoft Outlook home and businesses users and is so bad it has the potential of wiping out complete files.

Anti-virus experts at McAfee.com (NASDAQ:MCAF) identified the worm early Tuesday morning and have named it “Goner” after its identification string W32/Goner@MM. The company assessed the virus as a HIGH risk – it’s most serious rating.

Compared to other well known computer infections such as NIMDA, Code Red, Melissa and ILOVEYOU, McAfee says this is pretty serious stuff.

“Goner” Virus Resources

Here are some sites to go for up-to-date information on the virus.

McAfee, which offers virus description, methods of infection and information for removal

Symantic
, which also offers technical information about the virus

“To coin a phrase from Star Trek – this is certainly an attempt to bring down the shields,” says McAfee Security Architect Sam Curry. “It has the potential to be as destructive as the others, but it’s still too early in the game and we won’t see the full impact of this worm for some time. Unlike the Anna Kournikova virus that did one thing, this one is a hybrid virus that does a few things like deleting firewall and anti-virus files.”

Curry says that like many other e-mail-based infections, the worm is expected to spread further at the times when people are checking their e-mail – early in the morning, at lunch and when they get home from work.

This mass-mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It can also use the instant messaging platform ICQ to spread as well. The worm arrives in an e-mail message contains the subject “Hi” with a short message in the body.

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

Sunnyvale, Calif.-based McAfee’s AVERT team says to the worm won’t activate until you open the attachment:

GONE.SCR.

The payload, if activated, can delete files from users’ computers. The “Goner” worm then e-mails itself to every e-mail address contained in the user’s address book.

Running this attachment infects the local system and not the network. When run, the worm displays a message box entitled; “About” and after a short time another window entitled “Error” is displayed.

The worm then copies itself into SYSTEM32 in the %WinDir% folder and adds the following registry key in order to get started upon boot:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunC:%WINDIR%SYSTEM32gone.scr=C:%WINDIR%SYSTEM32gone.scr

The new “Goner” worm comes quickly on the heels of the recent “Badtrans” Internet worm variant.

Both viruses affect users of Microsoft Outlook, although the “Goner” worm appears to target various firewall and anti-virus files for deletion.

And because of the multi-layered aspects of the worm, Curry suspects that this is more the work of crackers than of regular hackers.

This story first appeared on Siliconvalley.internet.com, an internet.com site.