The WORM_GONE.A virus, dubbed Goner or Gone, is a Visual Basic-compiled Windows executable worm that propagates through Microsoft Outlook and the ICQ instant messaging program.
It arrives in an e-mail with the following:
Subject: Hi
Body: How are you ?
When I saw this screensaver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
The worm creates an Outlook Application Object, and uses MAPI script commands to send bogus e-mails to all recipients in the infected user's address book, according to anti-virus vendor Trend Micro.
The worm also installs a backdoor program linked to mIRC, a popular Internet Relay Chat program, and uses this to execute Denial of Service (DoS) attacks on IRC servers.
"At the moment there are over 100,000 infections already worldwide," Allan Bell, senior marketing manager, Network Associates Asia Pacific, told ZDNet Australia.
Although infections are taking off faster than last week's Badtrans virus: -I think it will probably peak earlier than Badtrans then drop away quicker," Bell said.
According to Bell, 25 of Network Associates' multinational clients have been infected with the virus, and locally the company has been contacting corporate customers since about 4am. -We've been able to head off at the path any virus these companies may get," Bell said. However, on a retail level, calls are coming in at seven times the normal level, he said, adding that some of those calls were still concerns about Badtrans.
Andrew Gordon, managed services architect, Trend Micro Australia/New Zealand, believes we will see more damage over the next few hours as workers launch into e-mail communication, with a slowdown expected after lunch.
"We're definitely seeing some local infections in both Australia and New Zealand," Gordon said. "At least 20 customers have called to say they've trapped it at the gateway," he said, adding that five to 10 infections had been reported by Trend Micro clients.
"I would say we're probably going to see more damage in the next couple of hours."
Trend Micro initially slated Goner as a yellow alert early this morning because it was contained within one continent. Now the anti-virus vendor has tagged it as a red alert, which means it's a risk to the rest of the world.
"You're only as good as your last update, but we don't want to be seen scaremongering the crowd," Gordon said, adding that the next thing we have to worry about are copycat viruses. However, as long as people are a little more cautious about what they open, it shouldn't propagate as rapidly as Badtrans, which infected machines without the attachment being executed, he said.
Symantec also pushed the Goner worm up to a threat level 4 early this morning, not because of the number of submissions, but because the percentage increase of submissions had been mounting at a fairly rapid rate, according to Symantec Australia general manager, John Donovan.
"It looks like it was written with the consumer user in mind," Donovan said of the virus. He believes that corporate workers have been burnt one too many times and are more likely to delete suspicious emails immediately. However, with only a handful of infections in Australia so far, Donovan says home users could be hit between 5 and 6pm -when consumers fire up PCs at home".
