Goner isn't quite one yet this morning.
The worm, W32.goner.a@mm, continues to spread via e-mail, clogging e-mail gateways and deleting critical anti-virus and security programs from infected computers. Though anti-virus definitions have been updated overnight and the worm's spread is abating, administrators and users continue to ignore basic security measures that could keep malware like this and Badtrans.b in check.
"A lot of administrators and users rely on their antivirus and that does not prevent all attacks from coming in," said TruSecure Surgeon General Russ Cooper.
Goner arrives with a Visual Basic attachment called Gone. SCR, purporting to be a screensaver. It arrives with a subject line of Hi and the text of the e-mail message is: "How are you? When I saw this screen saver, I immediately thought about you. I am in a harry, I promise you will love it!" The worm does not run automatically when opened, users must double-click the attachment to open it and kick off the mass-mailing portion of the worm.
It copies itself to the infected user's hard drive, and then points a registry key to the file location to execute the worm each time the system reboots.
Cooper recommends that administrators override user demands for executable attachments by filtering mail and attachment content and blocking executables. Badtrans.b, for example, contained the same screensaver executable that is at the heart of Goner's capabilities. And it hit the Internet just eight days ago.
"It has the exact same attack, so there's no reason so many corporations should have been affected," Cooper said. "Just filter these out. The problem is, administrators get pushback from users who say they need these attachments. In reality, there are 50 or 60 of these attachments that should be filtered and blocked. They are of no use to 95% of users in a corporation. Any grief they get should be weighed against the cost and downtime caused by one of these worms."
Cooper also advises diligent updating of antivirus definitions.
"Outlook 2000 and Outlook 2002 security updates contain updates that prevent these attachments from coming in," Cooper said. "Anyone not using these programs, or Outlook Express or older versions of Outlook is vulnerable. Administrators have no way of preventing users from making the mistake of opening the attachment and spreading it."
Microsoft Exchange Server is also without an attachment filter, Cooper said. He added that this should be a core functionality of server security.
"Cleanups will depend on where mail is stored, either on the client desktop or on the server. Most virus definitions have been updated by now," Cooper said. "Administrators should be filtering inbound attachments for the .SCR message. They'll have to use an antivirus content filter that filters attachments. I can't recommend to them strongly enough that filtering attachments is necessary."
Goner also modifies a user's ICQ and IRC chat clients as well as deleting popular security programs, like Zone Alarm firewalls, several McAfee virus scans, Norton Antivirus, Sophos and many others. Internet Security Systems said that the list of antivirus and personal firewall executables appears to have been taken from a previous worm, known as I-Worm.fog.
As of this morning, Messagelabs was reporting it had captured close to 40,000 infected e-mail in more than 17 countries.
"Usually, it's a new technique that causes these things to go ballistic and spread. It's strange, with this one, I don't see anything to cause this to happen," Cooper said. "That's why we didn't speculate this to be a big deal (Tuesday). It's still not clear to me why this is taking off. I speculate it's the stress people are under right now. This arrives as a light-hearted message and folks may just be looking for something to cheer them up."