Aliases: Goner.A, I-Worm.Goner, W32/Goner@MM, WORM_GONER.A, W32/Goner-A
Variants: Win32.Goner.A, W32/Goner.A@mm, Win32.HLLM.Goner, Win32/Goner.A, Worm/Goner

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North and South America, Europe, Australia
Removal: Hard
Platform: W32
Discovered: 04 Dec 2001
Damage: Medium

Characteristics: Another type of mass mailing Worm, this threat normally arrives as an attachment of a spiked email and makes use of the default client of the Microsoft Windows Operating System platform as well as Internet Relay Chat clients to spread its codes. The W32.Goner.A@mm can check for the presence of the IRC client in the infected computer system and use the Internet Relay Chat service to issue a Denial of service attack on specific servers.

More details about W32.Goner.A@mm

Like most Worm malware, this particular threat requires the user to manually launch its trigger file in order to infect a vulnerable machine. Aside from email and Internet Relay Chat, the W32.Goner.A@mm may also use Internet paging clients to deliver its trigger file. Simply viewing the message or chat contents will not execute the infection. In order to trick the recipient into launching its file, the W32.Goner.A@mm assumes the personality of the user of the infected machine. This makes the other party believe that the file transmitted is legitimate causing its execution. Normally the trigger file of the W32.Goner.A@mm is disguised as a type of screen saver using the SCR file extension. A message box is displayed on the screen of the infected machine.

The W32.Goner.A@mm sends email messages in the background attempting to conceal it from the computer user. It will also modify certain Windows Registry key settings in order to establish its presence in the machine. The W32.Goner.A@mm will also terminate active processes that are associated to system protection. The executable files for these security programs and protocols will be deleted accordingly. If the files to be deleted are in use, the malware will create an initialization file to ensure that the target files will be removed from the system on the next boot up or startup instance.