You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Goner.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Goner.A carries out the following actions:

It kills the following processes in affected computers:
APLICA32.EXE, AVCONSOL.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPM.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, ESAFE.EXE, FRW.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, LOCKDOWN2000.EXE, NAVAPW32.EXE, NAVW32.EXE, PCFWallIcon.EXE, SAFEWEB.EXE, TDS2-98.EXE, TDS2-NT.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSTAT.EXE, WEBSCANX.EXE and ZONEALARM.EXE.

It deletes all the files in the same directory as the executable files corresponding to the processes it kills.
It deletes all the files in the directory C:\SAFEWEB, if it is located on the affected computer.
It uses the affected computer to launch DoS (denial of service) attacks through IRC.
It finishes the Windows session.

Infection strategy

Goner.A creates the following files:

WININT.INI is used by Goner.A to delete all the files it could not delete the first time.
REMOTE32.INI is used by Goner.A to launch DoS (Denial of Service) attacks from affected computers, provided that the mIRC application is installed. Then it looks for the DLL (Dynamic Link Library) ICQMAPI.DLL.

Goner.A creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
C:\ %WINDIR%\ %SYSTEM%\ gone.scr = C:\ %WINDIR%\ %SYSTEM%\ gone.scr
By creating this entry, Goner.A ensures that it is run whenever Windows is started.

Means of transmission

Goner.A spreads via e-mail and ICQ.

1.- Transmission via e-mail.

Goner.A follows the routine below:

It reaches the computer in a message with the following characteristics:

Subject:
Hi
Message:
How are you?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachments:
GONE.SCR
When the attached file is run, the computer is affected.
It sends itself out to all the contacts in the Address Book of the affected computer.

2.- Transmission via ICQ.

Goner.A also spreads through ICQ, by sending itself to all the contacts stored in this application.

Further Details

Goner.A is written in the programming language Visual Basic v6.0. The worm has a PE (portable executable) type executable file with an SCR extension, which is 38,912 bytes in size and is compressed in a similar format to UPX 0.9, but is protected in order to prevent it from being decompressed.

The Goner.A code contains the following information:

Comments: Power Puff girls rulz! ;>
Product name: pentagone
Internal name: gone
Original file name: GONE.SCR
Product version: 0.00.0003

Resources for Partners