Threat behavior
Worm:Win32/Goner.A@mm is a worm that spreads via e-mail and ICQ. This worm can also be instructed to perform DDoS (Denial of Service) attacks against specified targets via IRC.
Installation
When Win32/Goner.A is run, it drops a copy of itself as '<system folder>\gone.scr'. The registry is modified to run this dropped copy at each Windows start:
Adds value: "<system folder>\gone.scr"
With data: "<system folder>\gone.scr"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This worm may display of a message box containing the text “Error While Analyze DirectX!” during installation.
Spreads Via…
E-mail
Worm:Win32/Goner.A@mm may attempt to send a copy of itself as an attachment to an e-mail message sent to contacts in the Windows address book. The e-mail message may contain the following text in the body:
When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!
ICQ
Worm:Win32/Goner.A@mm may attempt to send a copy of itself as an attachment to messages sent to contacts found in the contact list for the Internet chat application ICQ. The worm targets users that are online at the time the worm executes.
Payload
Terminates Processes
Worm:Win32/Goner.A@mm searches for and terminates the following processes:
IAMAPP.EXE
IAMSERV.EXE
CFINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
If a process from the above list is found, the worm attempts to delete folders that contain these executables. If it is unable to delete them, it writes the file name(s) to a boot-time configuration file named WININIT.INI that then attempts to delete the targeted files at next system reboot.
Performs DDoS
Worm:Win32/Goner.A@mm drops the file 'remote32.ini' into the mIRC (an Internet chat application) program folder. The worm modifies the configuration file 'mirc.ini' to execute this file whenever mIRC is launched. This script may be used in DDoS/Flood attacks.
Analysis by Josh Phillips
Prevention
