Win32.Gone.A@mm
HIGH
LOW
38912 bytes
(W32/Goner.A@mm)
Symptoms
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%WINSYS%\gone.scr]
with the value %WINSYS%\gone.scr
Removal instructions:
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiGone.exe tool does the following:
it detects all the known Win32.Gone@mm versions;
it deletes the files infected with Win32.Gone;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiGone.exe tool does the following:
You may also need to restore the affected files.
Analyzed By
Sorin Victor Dudea BitDefender Virus Researcher
Technical Description:
It came form:E-mail: It arrives in the following format:
Subject: Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you.
I am in a harry, I promise you will love it.
Attachment:
Gone.scr
ICQ and Mirc
It arrives as a file transfer request.
After running the worm (attachment or transferred file) it will show the following animated window:
After some time the following dialog box will appear:
While the worm displays those two windows it will scan the whole hard drive for finding some AV programs or firewalls. If it finds any it will create the file wininit.ini (only for Win9x) and it will add the [remove] section with as many Nul=filename Lines as files it finds on hard disk. In this way at restart all those programs will be deleted. If the OS is not Win9x it will delete them at restart using registry.
After that it will try to kill those programs in memory to ensure that it will have unrestricted internet access.
To ensure that it will be executed again at restart it will add the following key in registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%WINSYS%\gone.scr]
with value %WINSYS%\gone.scr where %WINSYS% is the Windows System folder.
The worms drops the remote32.ini file in Mirc directory and it adds a reference to that file to mirc.ini. This file is responsible with Mirc spreading.
After that it takes all e-mail addresses from Outlook address book and it will send itself to all those addresses in the same format as it arrives.
When it finishes to send trough e-mail it will see if ICQ is loaded and if it is will try to spread to users ICQ contacts using ICQ's file transfer protocol.
SHARE
THIS ON