Home / malware Win32.Gone.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Gone.A@mm is also known as W32/Goner.A@mm.
Explanation :
It came form:
E-mail: It arrives in the following format:
Subject: Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you.
I am in a harry, I promise you will love it.
Attachment:
Gone.scr
ICQ and Mirc
It arrives as a file transfer request.
After running the worm (attachment or transferred file) it will show the following animated window:
After some time the following dialog box will appear:
While the worm displays those two windows it will scan the whole hard drive for finding some AV programs or firewalls. If it finds any it will create the file wininit.ini (only for Win9x) and it will add the [remove] section with as many Nul=filename Lines as files it finds on hard disk. In this way at restart all those programs will be deleted. If the OS is not Win9x it will delete them at restart using registry.
After that it will try to kill those programs in memory to ensure that it will have unrestricted internet access.
To ensure that it will be executed again at restart it will add the following key in registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun\%WINSYS%gone.scr]
with value %WINSYS%gone.scr where %WINSYS% is the Windows System folder.
The worms drops the remote32.ini file in Mirc directory and it adds a reference to that file to mirc.ini. This file is responsible with Mirc spreading.
After that it takes all e-mail addresses from Outlook address book and it will send itself to all those addresses in the same format as it arrives.
When it finishes to send trough e-mail it will see if ICQ is loaded and if it is will try to spread to users ICQ contacts using ICQ's file transfer protocol.Last update 21 November 2011
