Wednesday, November 16, 2005


Blended threats are often ingenious in their attempts to infiltrate and spread, and Goner is a particularly effective example of this quality.
Goner spreads in one of two ways. The more prevalent method is via email, where it transmits as an attachment that masquerades as a screen saver called GONE.SCR. The subject line typically reads, “Hi!” and the body typically reads, “How are you? When I saw this screen saver, I immediately thought about you ... I am in a hurry [sic], I promise you will love it!” On infected computers, Goner emails itself to all addresses listed in the Microsoft Outlook address book.
Goner also propagates by initiating file transfers in ICQ, a popular instant messaging program. If the ICQ user on the other end of the file transfer accepts the infected file (or if the user previously set ICQ to automatically receive files) and executes it, Goner infects that user’s computer. When users execute GONE.SCR, a splash screen and an error message appear as the worm replicates in the Windows system folder and modifies the Windows Registry (central database of settings and user preferences).
But Goner reserves its most sinister behavior for its nemeses: anti-virus programs. If Goner finds any programs associated with a large list of anti-virus and other security programs, it terminates them. This behavior also opens victimized computers to future attacks, especially for hackers that utilize computers as zombies (systems open to outside access so someone can control them remotely) in wide-ranging DoS attacks.


Post a Comment

<< Home