W32/Goner@MM 12/04/01 3:30pm
The following is from Network Associates (http://vil.nai.com/vil/content/v_99272.htm):
This threat is detected and removed with Dat 4174 (or greater) and Scan Engine 4.1.60.
This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It uses ICQ to spread as well. It arrives in an email message containing the following information:
Subject: Hi
Body: How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
Running this attachment infects the local system.
When run, the worm displays a message box entitled, "About":
After a short time another windows entitled "Error" is displayed:
The worm copies itself into SYSTEM32 in the %WinDir% folder and adds the following registry key in order to get started upon boot:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\C:\%WINDIR%\SYSTEM32\gone.scr=C:\%WINDIR%\SYSTEM32\gone.scr
The worm also attempts to delete the following files:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
Do Not Open The Attachment!
