1. /
  2. Security Response/
  3. W32.Goner.A@mm

W32.Goner.A@mm

Risk Level 2: Low

Discovered:
December 4, 2001
Updated:
February 13, 2007 11:41:08 AM
Also Known As:
I-Worm.Goner [Kaspersky], W32/Goner@MM [McAfee], WORM_GONER.A [Trend], W32/Goner-A [Sophos], Win32.Goner.A [Computer Associ
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Due to a decreased number of submissions, Symantec Security Response is downgrading W32.Goner.A@mm from a threat rating of Category 3 to Category 2.

W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a Portable Executable (PE) file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked, preventing this functionality.




How to uninstall and reinstall your Symantec software
This is necessary if the worm has successfully deleted the Norton AntiVirus program files. Read the instructions that apply to your situation.

Norton AntiVirus is installed by itself
If you have installed only Norton AntiVirus, and it is not part of SystemWorks or Norton Internet Security, follow these instructions.
  1. Uninstall Norton AntiVirus from the Add/Remove programs applet of the Windows Control Panel. You may or may not see error messages.
  2. Restart the computer.
  3. Carefully follow all of the instructions in the document How to uninstall Norton AntiVirus using the Rnav.exe removal tool.
  4. Restart the computer.
  5. Reinstall Norton AntiVirus from the installation CD or the downloaded installation files.

Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security
If Norton AntiVirus is installed as part of SystemWorks or Norton Internet Security, follow these instructions.
  1. Uninstall Norton SystemWorks or Norton Internet security (or both if both are installed) from the Add/Remove programs applet of the Windows Control Panel. Choose to uninstall all components. You may or may not see error messages.
  2. Restart the computer.
  3. Carefully follow all of the instructions in the document How to uninstall Norton AntiVirus using the Rnav.exe removal tool.
  4. Restart the computer.
  5. Reinstall your Symantec programs from the installation CD or the downloaded installation files.

    NOTE: If you have problems or see error message when reinstalling either Norton SystemWorks or Norton Internet Security, read one--or both--of the following documents:
  6. Return to the section Remove the worm files and start with the first step.



What are Portable Executable (PE) files?
PE files are files that are portable across all Microsoft 32-bit operating systems. The same PE-format executable can be executed on any version of Windows 95, 98, Me, NT, and 2000. Therefore, all PE files are executable, but not all executable files are portable.

A good example of a Portable Executable is a screen saver (.scr) file.

System Restore option in Windows Me
One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts.

If the computer is infected with W32.Goner.A@mm, then it is possible that the worm could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by the removal tool will fail. To work around this, you must disable System Restore and restart the computer. This will purge the contents of the _RESTORE folder. You must then run the removal tool again.

To disable System Restore:
Follow the steps listed below the following figure. Use the numbers in the figure for reference.


  1. Close all open programs. Then right-click My Computer on the Windows desktop
  2. Click Properties.
  3. Click the Performance tab.
  4. Click File System.
  5. Click the Troubleshooting tab.
  6. Check Disable System Restore.
  7. Click OK.
  8. Click OK.
  9. Click Yes to restart. The System Restore feature is disabled and the contents of the _RESTORE folder are purged when the system is restarted.

    NOTE: After following all of the removal instructions, repeat steps 1 through 9, except in step 6 uncheck Disable System Restore.

You can find an additional information in the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder.

For additional information and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.


Antivirus Protection Dates

  • Initial Rapid Release version December 4, 2001
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 4, 2001
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date December 4, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Neal Hindocha

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver