LHRIC > Technical Services > Virus Alert

	TECHNICAL SERVICES
	home \| search \| contact \| Virus Central
	Providing timely, reliable & cost-effective technical support

Virus Central - Detailed

Virus Information
Name:	W32/Goner@MM
Aliases:	I-Worm.Goner (AVP), W32.Goner.A@mm (NAV), W32/Goner-A (Sophos), W32/Goner.A@mm (Panda), Win32.Goner.A@mm (AVX)
Type:	Virus
Discovery Date:	12/4/2001
Detection:	Presense of the GONE.SCR
Virus Description:	This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It uses ICQ to spread as well. It arrives in an email message containing the information below.
E-mail Subject:	Hi
E-mail Body:	How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!
Attachment:	GONE.SCR

Virus Effects:

This mass-mailing worm sends itself to all users found in the Outlook Address Book using using a plain text format. Therefore, the
attachment does not start automatically when the user opens the message and does not get activated automatically when then
Outlook preview pane if used.

Running this attachment infects the local system.

When run, the worm displays a message box entitled, "About"

After a short time another windows entitled "Error" is displayed:

The worm copies itself into SYSTEM in the %WinDir% folder and adds the following registry key in order to get started upon boot :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr

Under Windows 9x/ME, the worm looks for the following processes in memory:

APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE

If present, the process is terminated and all files in the directory containing that executable are deleted, as well as all files in that subdirectory. If this action fails, the worm may create a WININIT.INI file to delete the files upon restart.

Removal Instructions:

Use the following EXTRA.DAT for detection and removal

EXTRA.DAT files:
EXTRA.DAT
SUPER EXTRA.DAT

Manual Removal Instructions

WINDOWS 95/98/ME

Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
Click START | FIND | Files or Folders ...
Type Gone.scr and hit ENTER
Delete GONE.SCR (if present)
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on the keyboard
Restart the computer

WINDOWS NT/2000/XP

Type CTRL-ALT-DEL at the same time
Choose TASK MANAGER and then choose the PROCESS tab
Locate the GONE.SCR process, click it, and choose END PROCESS
Click START | FIND | Files or Folders ...
Type Gone.scr and hit ENTER
Delete GONE.SCR (if present)
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
Click on C:\WINNT\SYSTEM\gone.scr on the right and hit DELETE on the keyboard
Restart the computer

Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.