Goner.A is a new mass-mailer spreading via Microsoft Outlook that masquerades as a screen saver. It also has ICQ and mIRC spreading capabilities.
The worm attaches itself to an email with the subject line "Hi", and attachment name "gone.scr". The message body reads:
How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!
Once activated, the worm display a message box about it's origin, and an error message "Error While Analyze DirectX!". It searches the following processes in memory:
Once found, the process is terminated. The worm then search and delete all files under the directory from where the target process launched. If any files can not be removed at the time, an entry will be added to WININIT.INI and the file will be removed at the next Windows restart.
The worm drops a copy of itself as "gone.scr" to the System directory, and registry this copy to be run on Windows startup. The registry key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, Key name "\gone.scr" with value "\gone.scr"
InoculateIT Engine Virus Signature Update Files, Version 23.48.49 Engine version 23.48.00)
Vet Engine Virus Signature Update Files, Vet sig will be Version 10.4.1678 (Engine version 10.4.1).
Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files, Version 30.49 (Engine version 30.00)
Be careful,update your DAT files ASAP and if you don't have a Antivirus download a 30 day trial one at Mcafee.Com or Norton.Com,
Unfortunately it looks like your attempt to purchase VIP membership has failed due to your card being declined. Good news is that we have several other payment options that you could try.
VIP MEMBER
, you are now a VIP member!
We thank you for your purchase!
VIP MEMBER
, Thank you for becoming VIP member!
Membership should be activated shortly. You'll receive notification!
