The mass-mailing Internet worm, written in Visual Basic Script (VBS) spread rapidly throughout Tuesday night. Antivirus firm MessageLabs said it detected 40,000 cases of the worm in the 24 hours since 10:50am on Tuesday. In comparison, MessageLabs detected 50,000 copies of the SirCam virus over the past four weeks.
On Tuesday, MessageLabs said it was stopping about 1,000 Goner viruses an hour, and that this figure later rose to 8,000 an hour. Security experts are warning that W32/Goner-A could wreak the same amount of havoc as last year's infamous "Love Letter" e-mail worm.
Computer worms such as Code Red and Nimda, which used proven hacker exploits to spread, had led some experts to speculate that virus writers were taking a new approach and moving away from writing viruses that require someone to open an attachment to trigger them. But the sudden surge of Goner attacks in the last 24 hours suggests that such predictions about traditional viruses may have been wrong. "The battle is lost, as people will always be inquisitive and double-click on the attachment," said Alex Shipp, antivirus technologist at MessageLabs.
The Goner worm arrives as an email with the subject line "Hi", and disguises itself as a screensaver. It contains the text: How are you? When I saw this screensaver, I immediately thought about you. I am in a harry, I promise you will love it!
The malicious Visual Basic Script is compressed into the UPX (Ultimate Packer for eXecutables) format, making it harder for antivirus software to detect. This also enables the virus to bypass corporate firewalls that are protected against VBS files.
When the file is opened in Microsoft Outlook, Goner will attempt to terminate a number of antivirus products installed on the infected computer, and will then delete all files from any directory containing files of those names. "This will be more expensive to get rid of than Love Letter, as all companies infected will need to reinstall antivirus software on each individual PC," said Shipp.
Goner also uses a Internet Relay Chat application called mIRC to install a backdoor, which can be used to launch a Denial of Service (DoS) attack on IRC channels, and on other users connected to the same IRC channel as the infected user.
The Pentagone worm is thought to have originated in Europe, even though the first incident of attack was detected in the United States. A large proportion of reports received by MessageLabs have originated in France.