Email-Worm.Win32.Goner

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to
infected e-mails, and sends itself via the Internet pager ICQ. It attacks an IRC
channel, utilizing a Trojan script and protects itself from anti-virus programs.

The worm itself is a Windows PE EXE file about 38 KB in length and written in
Visual Basic. It is packed by the program UPX. After unpacking, it is 148KB
in size.

An infected message contains:

The worm activates from an infected e-mail only when a user clicks on an attached
file. Then it installs itself to the system and runs its spreading routine and
payload. It displays animated windows with the following text:

Then it displays the following message dialogue:

Installation

While installing, the worm copies itself to the Windows system directory with the
name GONE.SCR, and registers this file in the system registry auto-run key.

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
C:WINDOWSSYSTEMGONE.SCR = C:WINDOWSSYSTEMGONE.SCR

Following this, the worm hides its main window, and continues spreading.

Spreading via E-mail

In order to send infected messages, the worm uses MS Outlook, and sends messages to
all addresses found in the Outlook address book.

{Goner3.bmp}

Spreading via ICQ

The worm spreads through the ICQ client. It uses the library
ICQMAPI.DLL, which the worm copies from the directory C:PROGRAM FILESICQ to
the Windows system directory. It reponds to the client program, and
looks for dialogue windows from the list and answers requests.
The window lists are as follows:

Send Online File
Send Online File Request

The worm periodically looks for windows and closes them. The titles of
the windows are as follows:

User has declined your request
Can’t Send File Request
Send Online File [User Is in N/A mode]
Send Online File [User Is Away]
Send Online File [User Is Occupied]
Send Online File [User Is in DND mode]
User has declined your request
Can’t Send File Request
Send Online File Request [User Is in N/A mode]

Send Online File Request [User Is Away]
Send Online File Request [User Is Occupied]
Send Online File Request [User Is in DND mode]

Attacking an IRC channel

The worm scans local disk directories for the file MIRC.INI, creating a new file, REMOTE32.INI, in this directory, and adds it to the file
MIRC.INI. This script periodically joins a user with random name to the
IRC channel #pentagonex on the server twisted.ma.us.dal.net.

Protection from Anti-Virus Programs

While installing in the computer system, the worm scans the running
processes, checking their names from the following list:

FINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
C:SAFEWEB

The worm terminates this process in memory, and erases the file from the
disk. Then it erases all files in the process directory with files in
subdirectories. The worm looks for remaining files, and sets up its removing
after restarting the computer. It adds delete commands to the file
WININIT.INI