Goner worm

Description: The Goner worm is a mass mailer that was first reported on December 4 and spread worldwide within 24 hours from being first seen. On installation, the worm kills the AV protection process and then deletes the associated programs. InVircible is not not affected by Goner.

A list of security products targeted by Goner are: AtGuard and ZoneAlarm (personal firewalls), eSafe, McAfee (NAI), Norton AV (Symantec), AVP (Kaspersky), Sophos, and TDS.

Propagation: Goner propagates as attachment to e-mail, named GONE.SCR, and as file transfer by ICQ. When the attachment is opened , the worm will copy GONE.SCR to the system directory, and register itself under HK_Local_Machine/ ... / CurrentVersion/Run as C:\%system%\gone.scr, where %system% is the path of the system directory. ….

Detection/Prevention: IV Interceptor with SmartUpdate 100 detects Goner and blocks it from installing or executing. Run a forced Smart Update from this link if your update number is lower than 100. In the enterprise environment, make sure that SmartUpdate is set to run daily.

Cleaning: Users that got their computer infected with Goner may use the following dedicated utility to remove the worm.

From Windows 95/98/Me: Download the MakeResq and xGoner utilities. Insert an empty and formatted floppy in drive A: and run Makeresq from the desktop to convert it into a bootable rescue floppy. Copy xgoner.exe that you just downloaded to the floppy, when done. Restart now the computer from the rescue floppy and run XGONER from it, when at the A: prompt. Restart Windows when done. Running XGONER a second time from the desktop is recommended, to assure that the registry change made by the worm, is reverted.

From NT/2000/XP: Download xGoner to the desktop. Press Alt+Ctrl+Del once, click “Task Manager” and select the “process” tab. In the list, find “gone.scr” and end the process. You may now run XGONER from the desktop. Restart Windows after having completed the procedure.