Goner proves social viruses still a threat

The Goner worm, which relies on the inquisitive computer user to spread, shows that gullible users are still their own worst enemy

The rapidly spreading Pentagone (or "Goner") worm is proof that many people are still falling victim to viruses that are activated by tricking them into double-clicking an attachment.

The mass-mailing Internet worm, written in Visual Basic Script (VBS) has been spreading rapidly throughout Tuesday night. Antivirus firm MessageLabs said it detetected 40,000 cases of the worm in the 24 hours since 10:50am on Tuesday. By comparison, MessageLabs detected 50,000 copies of the SirCam virus over the past four weeks. At around 3:00pm on Tuesday, the company said it was stopping about 1,000 Goner viruses an hour, and that this figure later rose to 8,000 an hour. Security experts are warning that W32/Goner-A could wreak the same amount of havoc as last year's infamous "Love Letter" email worm.

Computer worms such as Code Red and Nimda, which used proven hacker exploits to spread, had led some to speculate that virus writers were moving on from writing viruses that require someone to open an attachment to trigger them. But the sudden surge of Goner attacks in the last 24 hours is suggesting that antivirus predictions about traditional viruses may have been wrong. "The battle is lost as people will always be inquisitive and double-click on the attachment," said Alex Shipp, antivirus technologist at MessageLabs.

The worm arrives as an email with the subject line "Hi", and disguises itself as a screensaver. It contains the text: "How are you? When I saw this screensaver, I immediately thought about you. I am in a harry, I promise you will love it!"

The malicious Visual Basic Script is compressed into the UPX (Ultimate Packer for eXecutables) format, making it harder for antivirus software to detect. This also enables the virus to bypass corporate firewalls that are protected against VBS files.

When the file is opened in Microsoft Outlook, Goner will attempt to terminate a number of antivirus products installed on the infected computer, and will then delete all files from any directory containing files of those names. "This will be more expensive to get rid of than Love Letter, as all companies infected will need to reinstall its antivirus software on each individual PC," said Shipp.

Goner also uses the Inernet Relay Chat application called mIRC to install a backdoor, which can be used to launch a Denial of Service (DoS) attack on IRC channels, and on other uses connected to the same IRC channel as the infected user.

The Pentagone worm is thought to have originated from Europe, despite the first incident being detected in the US. A large proportion of reports received by MessageLabs have originated from France.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All