The W32/Goner@MM virus - U-M Virus Busters

The W32/Goner@MM Virus Gets Lucky

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 09 December, 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

Note: There is no threat to Macintosh users (assuming that they are not running a PC simulator) from the Goner virus, although they can expect to see a lot of copies of infected email in their inboxes.

Note: Users of VirusScan v.4.5.1 as distributed at U-M have been protected from W32/Goner@MMsince the 4174 drivers (released on 04 December, 2001). Assuming that you are using this software, it would have updated itself automatically when you connect to the Internet so, like Mac users, it will be a plague in your mailbox, but not a real threat after the day it first appeared.

News Flash: Writers of Goner virus apprehended in Israel. See the AP article on it at e.g., USA Today (leaving our site).

The W32/Goner virus family was discovered on 04 December, 2001, and has spread rapidly "In The Wild." The cause for this outbreak can probably be attributed to several issues:

Users with no antivirus software at all
Users with poor quality antivirus software, or software that is woefully out of date
Users who continue to open unsolicited email attachments
Users who use insecure emailers like Outlook, but fail to install all the security patches

Whatever the reason for its spread, it has become a significant annoyance in a short time (not much at U-M, though, so far). Major antivirus products were able to detect, prevent and sometimes repair infected files within hours of the discovery of the new strain.

While the best way to recognize a virus is to use an antivirus scanner -- "identification by symptom" is folly when there are over 59,000 different nasties out there -- here are a few tips that may help to recognize email that is infected with W32/Goner@MM:

The email containing the infected attachment has a Subject field of Hi.

The text of the email is:


How are you ? 
When I saw this screen saver, I immediately thought about you 
I am in a harry, I promise you will love it!

Yes, "in a harry."

The infected email attachment is a file named gone.scr

Should someone be unlucky enough to execute the attachment, a Windows messagebox appears that will make it obvious that something is amiss. See vendor web sites at the URLs below for more details.

If the virus manages to get control, it will harvest email addresses from Outlook addressbooks, and attempt to send itself to those addresses.

The virus also will attempt to delete antivirus and other security software, and do other nasty things.

For more information about this virus, see e.g., NAI's (leaving our site) or F-Secure's (leaving our site) writeup on W32/Goner@MM

Please do not forward warnings about this exploit-- or any other warning or hoax -- to all your friends.

Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- pointing the originators to web resources such as ours. For this particular virus I suggest that you provide a pointer to this URL http://www.umich.edu/~virus-busters/goner.html.

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Thursday, 01-Aug-2002 01:08:33 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 04 December 2001 18:14 EST