My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Gone.A@mm

HIGH
LOW
38912 bytes
(W32/Goner.A@mm)

Symptoms

  • Gone.scr file in %WINSYS% directory

  • The registry key

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%WINSYS%\gone.scr]

    with the value %WINSYS%\gone.scr

  • The windows from technical description.

  • Remote32.ini file in MIRC directory (only if MIRC is installed on system)
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiGone.exe tool does the following:
  • it detects all the known Win32.Gone@mm versions;

  • it deletes the files infected with Win32.Gone;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    It came form:

    E-mail: It arrives in the following format:

    Subject: Hi

    Body:
    How are you ?
    When I saw this screen saver, I immediately thought about you.
    I am in a harry, I promise you will love it.

    Attachment:
    Gone.scr

    ICQ and Mirc
    It arrives as a file transfer request.

    After running the worm (attachment or transferred file) it will show the following animated window:



    After some time the following dialog box will appear:



    While the worm displays those two windows it will scan the whole hard drive for finding some AV programs or firewalls. If it finds any it will create the file wininit.ini (only for Win9x) and it will add the [remove] section with as many Nul=filename Lines as files it finds on hard disk. In this way at restart all those programs will be deleted. If the OS is not Win9x it will delete them at restart using registry.

    After that it will try to kill those programs in memory to ensure that it will have unrestricted internet access.

    To ensure that it will be executed again at restart it will add the following key in registry:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%WINSYS%\gone.scr]

    with value %WINSYS%\gone.scr where %WINSYS% is the Windows System folder.

    The worms drops the remote32.ini file in Mirc directory and it adds a reference to that file to mirc.ini. This file is responsible with Mirc spreading.

    After that it takes all e-mail addresses from Outlook address book and it will send itself to all those addresses in the same format as it arrives.

    When it finishes to send trough e-mail it will see if ICQ is loaded and if it is will try to spread to users ICQ contacts using ICQ's file transfer protocol.