SecureData, an ERP.com company and the exclusive sub-Saharan distributors of Trend Micro (Nasdaq: TMIC, TSE: 4704), a worldwide leader in network antivirus and Internet content security solutions is warning computer users of a fast spreading worm known as WORM_GONE.A.
This Worm arrives via email as the attachment GONE.SCR. The file is packed using the UPX packer programme and is compiled using Visual Basic.
The email details in which this worm arrives are as follows:
Subject: Hi
Body: How are you? When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it!
Attachment: GONE.SCR
When executed, the program shows this window:
. IAMAPP.EXE
. IAMSERV.EXE
. CFINET.EXE
. APLICA32.EXE
. ZONEALARM.EXE
. ESAFE.EXE
. CFIADMIN.EXE
. CFIAUDIT.EXE
. CFINET32.EXE
. PCFWALLICON.EXE
. FRW.EXE
. VSHWIN32.EXE
. VSECOMR.EXE
. WEBSCANX.EXE
. AVCONSOL.EXE
. VSSTAT.EXE
. NAVAPW32.EXE
. NAVW32.EXE
. _AVP32.EXE
. _AVPCC.EXE
. _AVPM.EXE
. AVP32.EXE
. AVPCC.EXE
. AVPM.EXE
. AVP.EXE
. ICLOAD95.EXE
. ICMON.EXE
. ICSUPP95.EXE
. ICLOADNT.EXE
. ICSUPPNT.EXE
. TDS2-98.EXE
. TDS2-NT.EXE
. SAFEWEB.EXE
It then drops a copy of the worm file in %System%\GONE.SCR, and auto-executes this file everytime Windows starts by creating the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%System%\gone.scr = %System%\gone.scr.
It also uses the mIRC application to install a backdoor. It creates a REMOTE.INI file, which contains a script that loads everytime the mIRC application is started. The Worm author can then use this Worm extension to start Denial of Service (DOS) attacks on IRC channels and/or users connected to the same IRC channel as the infected user.
The Worm also propagates via the ICQ chat application. It uses the ICQAPI to send a copy of itself to all online users.
The Worm contains a destructive payload, which searches the memory for certain applications, (including certain personal firewalls and certain antivirus software) as follows:
When it finds any of the above files in memory, it terminates their process. It also deletes all files in the directory where the found file is located. This routine effectively disables the application, which may prevent the files from functioning properly.
Wayne Biehn, SecureData Sales Director said, "Trend Micro proves again, that its global virus research organisation is able to handle such new threats extremely fast and efficiently. 20 minutes after they received the first sample, they created a virus pattern which can be downloaded on our website at www.sd.co.za.
The latest Pattern file is 177/977 and this can detect the worm.
Customers can also use Trend Micro's content filtering plug-in InterScan eManager( to block a string of text within the message.
Non-customers can download a free 30-day evaluation copy of all Trend Micro's antivirus solutions including InterScan eManager from www.antivirus.com/download
Share
Editorial contacts