WIN32/Goner.A

A The worm spreads via e-mail with the Subject: “Hi“. The body of the infected message contains the following text:

How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

The worm itself is hidden in the attachment: Gone.scr

After activation, the worm opens the “Pentagon“ window. The window contains text about the author and the testers. In he background, fireworks effect is displayed.

Activation of the worm is provided via registration of the Gone.scr file (located in the Windows system directory) into the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Finally, the worm displays a faked error message: “ErrorWhile Analyze DirectX!“.

The worm delets and quits certain programs, among them Zone Alarm firewall. It also attempts to spread as the ICQ script.

To remove the infiltration manually, delete the Gone.scr file in the Windows system directory as well as the registry entry listed above. For automatic cleaning, use NOD32, version 1.129.