[email protected]

Aliases: Goner.A, I-Worm.Goner, W32/[email protected], WORM_GONER.A, W32/Goner-A
Variants: Win32.Goner.A, W32/[email protected], Win32.HLLM.Goner, Win32/Goner.A, Worm/Goner

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North and South America, Europe, Australia
Removal: Hard
Platform: W32
Discovered: 04 Dec 2001
Damage: Medium

Characteristics: Another type of mass mailing Worm, this threat normally arrives as an attachment of a spiked email and makes use of the default client of the Microsoft Windows Operating System platform as well as Internet Relay Chat clients to spread its codes. The [email protected] can check for the presence of the IRC client in the infected computer system and use the Internet Relay Chat service to issue a Denial of service attack on specific servers.

More details about [email protected]

Like most Worm malware, this particular threat requires the user to manually launch its trigger file in order to infect a vulnerable machine. Aside from email and Internet Relay Chat, the [email protected] may also use Internet paging clients to deliver its trigger file. Simply viewing the message or chat contents will not execute the infection. In order to trick the recipient into launching its file, the [email protected] assumes the personality of the user of the infected machine. This makes the other party believe that the file transmitted is legitimate causing its execution. Normally the trigger file of the [email protected] is disguised as a type of screen saver using the SCR file extension. A message box is displayed on the screen of the infected machine.

The [email protected] sends email messages in the background attempting to conceal it from the computer user. It will also modify certain Windows Registry key settings in order to establish its presence in the machine. The [email protected] will also terminate active processes that are associated to system protection. The executable files for these security programs and protocols will be deleted accordingly. If the files to be deleted are in use, the malware will create an initialization file to ensure that the target files will be removed from the system on the next boot up or startup instance.