Goner: ICQ-loving Internet-Worm
04 Dec 2001
Kaspersky Lab, an international data-security software-development company, announces the detection of a new mass mailing Internet-worm I-Worm.Goner. Reports of infection by this malicious program already have been reported in many countries throughout the world.
In order to be activated, "Goner" requires a user to manually launch the worm-carrier file (GONE.SCR) that will initiate the target-computer infection routine. To accomplish this, the worm creates its copy in the default Windows system folder under the same name (GONE.SCR), and registers this file in the start-up section of the Windows system registry. As a result, "Goner" will be activated each time the computer is rebooted.
After this, "Goner" starts its spreading routine. To make it more effective, the worm uses two data-transmission channels simultaneously: e-mail and ICQ, the popular Internet-paging software.
When spreading via e-mail, "Goner" gains access to Microsoft Outlook, creates a new message that contains an infected file, GONE.SCR, and unbeknownst to the user, sends it out to all the recipients from the Outlook address book. The distributed e-mail messages appear as follows:
After the e-mail spreading is finished, the worm consequently shows the following two windows:
"Goner" also tries to spread using ICQ. When active, it continuously traces the list of online ICQ users and regularly tries to send them the worm-carrier file. To conceal its unauthorized activity with ICQ, the worm permanently scans names of newly appeared dialogue boxes, and closes down those that are ICQ system messages.
In addition to spreading over the Internet, "Goner" also performs an attack on the #pentagonex IRC-channel. To accomplish this, the worm executes an additional script-program on the infected computer that regularly creates new members with random names on this channel. In some cases, this can overload the IRC channel and certainly annoys the IRC community.
Protection against "Goner" already has been added to the Kaspersky Anti-Virus daily update.
A more detailed description of the worm is available in the Kaspersky Anti-Virus Encyclopedia