Virus Database

I-Worm.Goner

Description I-Worm.Goner

This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via the Internet pager ICQ. It attacks an IRC channel, utilizing a Trojan script and protects itself from anti-virus programs.
The worm itself is a Windows PE EXE file about 38 KB in length and written in Visual Basic. It is packed by the program UPX. After unpacking, it is 148KB in size.
An infected message contains:

The worm activates from an infected e-mail only when a user clicks on an attached file. Then it installs itself to the system and runs its spreading routine and payload. It displays animated windows with the following text:

Then it displays the following message dialogue:

Installation
While installing, the worm copies itself to the Windows system directory with the name GONE.SCR, and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun C:WINDOWSSYSTEMGONE.SCR = C:WINDOWSSYSTEMGONE.SCR
Following this, the worm hides its main window, and continues spreading.
Spreading via E-mail
In order to send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
{Goner3.bmp}
Spreading via ICQ
The worm spreads through the ICQ client. It uses the library ICQMAPI.DLL, which the worm copies from the directory C:PROGRAM FILESICQ to the Windows system directory. It reponds to the client program, and looks for dialogue windows from the list and answers requests. The window lists are as follows:
Send Online File
Send Online File Request

The worm periodically looks for windows and closes them. The titles of the windows are as follows:
User has declined your request
Can't Send File Request
Send Online File [User Is in N/A mode]
Send Online File [User Is Away]
Send Online File [User Is Occupied]
Send Online File [User Is in DND mode]
User has declined your request
Can't Send File Request
Send Online File Request [User Is in N/A mode]
Send Online File Request [User Is Away]
Send Online File Request [User Is Occupied]
Send Online File Request [User Is in DND mode]

Attacking an IRC channel
The worm scans local disk directories for the file MIRC.INI, creating a new file, REMOTE32.INI, in this directory, and adds it to the file MIRC.INI. This script periodically joins a user with random name to the IRC channel #pentagonex on the server twisted.ma.us.dal.net.
Protection from Anti-Virus Programs
While installing in the computer system, the worm scans the running processes, checking their names from the following list:
FINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
C:SAFEWEB
The worm terminates this process in memory, and erases the file from the disk. Then it erases all files in the process directory with files in subdirectories. The worm looks for remaining files, and sets up its removing after restarting the computer. It adds delete commands to the file WININIT.INI

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Horn

Description Macro.Word97.Horn

This virus contains two macros: AutoOpen, LittleHorn. The virus infects the system on opening an infected document. It infects the document on "e" keystroke - to do that the virus installs its infection macro LittleHorn as "e" keystroke handler.
The virus does not manifest itself in any way.

Macro.Word97.Hubad

Description Macro.Word97.Hubad

The virus spreads in Word documents. When an infected document is opened the virus gains control and infects the global macros area (Normal.dot template). Other documents are infected upon their opening or closing.
The virus has a payload routine that is executed upon document printing. This procedure, before printing a document, inserts at the current cursor position a symbolic picture of women, and removes this picture just after printing. So this picture appears only on paper.

Home