, Newsbytes 2001-12-04
A new virus becomes a major pain in one day
At least one company says the worm, known as "Goner," may be the fastest-spreading e-mail attacker since the infamous "Love Letter virus" circumnavigated the global Internet in the spring of 2000.
Ryan McGee, marketing manager for McAfee.com, said his company suspected the worm had hit as many as 100,000 PCs by late afternoon today, estimating that figure by the number of calls and other anecdotal reports from large companies and individual users.
The worm, first reported in Europe early today and usually labeled W32/Gone.A, is highly virulent and capable of spreading via e-mail, the ICQ instant messenger client and Internet relay chat (IRC) links.
McGee said the lion's share of the worm's spread appears to be attributed to e-mail, where it targets the address books of those who use Microsoft Outlook Express mail software.
Jason Holloway, U.K. general manager for anti-virus software maker F-Secure, told Newsbytes the worm appears to have started somewhere in Europe, with early reports coming in from France and Germany.
Holloway said that his firm's help desk received reports that the worm infiltrated e-mail systems of enterprises as well as the PCs of home users.
"The fact that the worm is causing problems for companies is puzzling, since they usually have the best protection," he said.
McGee said the fact that Goner arrives with a the file extension ".scr" - usually designating a Windows screen-saver application - may be one reason it was getting past corporate barriers designed to filter out executable files with more likely names.
In addition, once launched, Goner apparently attempts to delete well-known anti-virus and Internet firewall software found on the PCs it invades, reducing the chance that its subsequent mass- mailing behavior will be detected.
Symantec's Security Response team also reported that Goner appears to install software that might be able to launch denial-of-service attacks against other computers via IRC networks.
Goner's ability to take down some anti-virus barriers is reminiscent of October's low-threat Toal (or "Bin Laden") worm, but McAfee's McGee said early indications are that Goner is a new creation.
Trend Micro said the worm can arrive attached to an e-mail bearing the subject "Hi" and a misspelled message body that reads:
"How are you?
"When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!"
McGee said a recipient would have to click on the attached file - named gone.scr - to release the malicious code, but something about the simple message seems so compelling that thousands of PC users have done so today.
F-Secure said that when the e-mail attachment is launched, it shows a dialog box containing greetings and some animation, attempting to disguise itself.
The worm then shows a message box with a fake error message, connects to the Outlook address book, reads e-mail addresses from it and sends itself to those addresses.
When spreading via ICQ channels, F-Secure said, Goner uses a standard ICQ component to send out its file.
The worm sends a file transfer request to an ICQ contact who appears to be online, and if that person approves file transfer, the worm sends its file to that person.
Steven Sundermeier, product manager at Central Command, told Newsbytes that Goner appears to have originated in France, although this has yet to be confirmed.
"It's going to be a nuisance," he said.
McAfee is at http://www.mcafeeb2b.com .
Symantec's Security Response: http://www.sarc.com .
Central Command: http://www.centralcommand.com .
F-Secure: http://www.f-secure.com .
Trend Micro: http://www.trendmicro.co.uk .
Reported by Newsbytes.com, http://www.newsbytes.com .
