Gone.scr file in %WINSYS% directory
The registry key
with the value %WINSYS%\gone.scr
The windows from technical description.
Remote32.ini file in MIRC directory (only if MIRC is installed on system)
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known Win32.Gone@mm versions;
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiGone.exe tool does the following:
it deletes the files infected with Win32.Gone;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Sorin Victor Dudea BitDefender Virus Researcher
It came form: E-mail:
It arrives in the following format: Subject: Hi Body: How are you ?
When I saw this screen saver, I immediately thought about you.
I am in a harry, I promise you will love it.
Attachment: Gone.scr ICQ and Mirc
It arrives as a file transfer request.
After running the worm (attachment or transferred file) it will show the following animated window:
After some time the following dialog box will appear:
While the worm displays those two windows it will scan the whole hard drive for finding some AV programs or firewalls. If it finds any it will create the file wininit.ini
(only for Win9x) and it will add the [remove]
section with as many Nul=filename Lines
as files it finds on hard disk. In this way at restart all those programs will be deleted. If the OS is not Win9x it will delete them at restart using registry.
After that it will try to kill those programs in memory to ensure that it will have unrestricted internet access.
To ensure that it will be executed again at restart it will add the following key in registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%WINSYS%\gone.scr]
with value %WINSYS%\gone.scr
is the Windows System folder.
The worms drops the remote32.ini
file in Mirc directory and it adds a reference to that file to mirc.ini
. This file is responsible with Mirc spreading.
After that it takes all e-mail addresses from Outlook address book and it will send itself to all those addresses in the same format as it arrives.
When it finishes to send trough e-mail it will see if ICQ is loaded and if it is will try to spread to users ICQ contacts using ICQ's file transfer protocol.