Goner Worm Threatens Security Apps

BOSTON -- A new high-risk worm, called "Goner," which attempts to delete a number of program files on infected computers, including firewall applications, is spreading quickly Tuesday, according to a number of antivirus firms.

The worm spreads by way of an attachment sent to users of Microsoft's Outlook and Outlook Express e-mail programs. In a change from the usual worm formula, it also travels through the chat application ICQ, according to vendors of antivirus products including McAfee.com, Computer Associates International, and Trend Micro. Goner does not exploit any security vulnerabilities like the recent Badtrans worm, but instead must have its attachment double-clicked in order to be launched, said April Goostree, virus research manager at McAfee.com.

Goner appears in user's in-boxes as an e-mail with the subject line "Hi." The body of the message reads, "How are you? When I saw this screen saver, I immediately thought about you ... I am in a harry [sic], I promise you will love it!" The mail also includes an attachment called Gone.SCR, which appears to be a screen saver.

When the attachment is double-clicked, the worm sends itself to everyone listed in the victim computer's address book, the antivirus companies said. Goner also tries to spread through the ICQ chat program, sending a copy of itself to all online users, Trend Micro said in its Web site. The worm installs a backdoor program that is activated whenever the mIRC chat application is launched and that can be used in Denial of Service attacks, Trend Micro said. After double-clicking on the attachment, a window also pops up, which includes credits for the virus' writer and its testers.

Search, Destroy Apps

After launch, Goner attempts to locate and delete a number of programs, including security programs like Zone Labs' ZoneAlarm firewall application, McAfee.com's Goostree said. Other files it attempts to delete include antivirus programs from Symantec and Kasperksy Labs, and security applications from Lockdown, and SafeWeb, according to both McAfee.com and Trend Micro.

The number of users infected with Goner is already "very, very large," Goostree said, although she did not have an exact number available.

"I would imagine you're going to see corporations shutting down their mail servers" to deal with the worm, she said.

Users are advised to update their virus definitions, visit the Web site of their antivirus provider, and not open unexpected attachments.