Another Virus Alert - MS Outlook and ICQ Users Beware!!

[Yshania]

From McAfee...HIGH RISK....

McAfee.com has seen an OUTBREAK of a large and growing number
of computers infected with W32/Goner@MM, also known as
Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus
that spreads via Microsoft Outlook email and ICQ instant
messaging programs. This mass-mailing worm will arrive
from someone you know with the following email message:

Subject: Hi

Body: How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Goner has a DESTRUCTIVE PAYLOAD. When the attachment is
opened, it will look for a variety of anti-virus, firewall
and other security programs and attempt to delete them,
along with ALL FILES in the same directory. This worm
will also place a trojan, REMOTE32.INI, on the system, which
contains instructions to attempt Denial-of-Service attacks
on other IRC users.


Take your ICQ off auto-receipt...

[ 12-04-2001: Message edited by: Yshania ]

[VoodooDali]

I was emailed that today. It went crazy on my mother's pc and sent me the same message like 25 times. I deleted them all. Unfortunately, my sucky Norton antivirus program won't upgrade virus definitions right now.

[Yshania]

Manual Removal Instructions....

[Ned Flanders]

@ VoodooDali,

Have you tried downloading the update file to your pc and then running that way as opposed to running a live update feature. That will probably do the trick.

If you are having update troubles as well as manual scans then the answer lies in the registry. It is a relatively simple fix. You can PM me if you want to discuss.

@ all,

This virus is a real pain in the A$$. If your running win98 and contract the virus, you must remove a wininit.dll file also created by gone.scr. I struggled with this for a while today trying to remove the virus off a users machines. The removal instructions at symantec.com weren't complete.

Ysh is right, ICQ users beware.

On the humorous side,

The above user came to me and said, "I think I ran an attachment that may be a virus in a email I just received. It looks as if outlook is sending out several messages." The look on her face was priceless when I ripped the A/C cord out of the wall (getting to the CAT5 cable was too much work)

At least the virus isn't going to hurt any files besides Norton.

[Yshania]

@Ned- how do the removal instructions from McAfee look?...

[HighLordDave]

Someone on campus go this virus yesterday and it's making the rounds through everyone's email because we're all set up on Outlook. There's nothing I enjoy more than getting a self-replicating worm virus from someone in Computing Services. Kind of makes me want to give them a big "Up yours!" when they tell me that I'm compromising the secruity of the network by installing "unauthorised" software on my workstation; at least I have the common sense enough to recognise and not forward malicious code.

[Ned Flanders]

ysh,

I'm a norton stiff. don't know much about mcafee removal. It's got to be similar, the virus runs the same way regardless of the AV software installed.

[Yshania]

@Ned - I have previously posted a link that gives you manual removal instructions at he bottom of the page...

[fable]

I've gotten that virus sent to me twice this morning. Deleted both posts, emailed the sender about it.

My Standard Operating Procedure:

If I don't know the sender, I delete the email.

If I do know the sender but the email sounds suspciously generic, I'll mail 'em back and delete the email.

[HighLordDave]

The best thing to do is exactly what our friend fable said and not open email attachments from people you don't know or don't correspond with regularly. Other ways to recognise a virus attachment:

Turn on your file extensions and look for programs trying to disguise themselves as documents. If the attachment is something like GenericDocument.doc.vbs or ClickOnMe.wpd.bat it's probably a virus.

Misspelling or bad grammar in the email body text.

You get more than one copy of the same email from the same person.

The email is from someone you don't usually get attachments from.

As a general practice, I don't ever open attachments, unless someone has told me in advance that they are sending one to me. There are just too many viruses running around out there that being a little cautious can't hurt.

[Mr Sleep]

If you are using Outlook Express first thing to do is turn off preview pane, go to view -->layout and you should find the relevant click box, this will stop the email from automatically openeing when you press on it. Another process (only useful after doing above) right click on the email, go to properties, click details tab, then check message source, skim through that until you find the suffix of the attachment, if it is something like doc.pif or if it has two siffix, then you know it has a virus. We charge our clients for this kidn of knowledge, you get it for free

[ 12-05-2001: Message edited by: Mr Sleep ]

[KramoR]

I have had four of them, that was caught by McAffee. On my hotmail account. Mostly by advertisements junkmail.

[Xandax]

Yeah - another virus - "Goner" - and imgaine, I've not been attacked by this yet - wohoo.

And like so many other vira - this is only dangerous (AFAIK) if you open and try to run the attached file, so this is actually a pretty simple virus.