Kaspersky Labs, an international data-security software-development company, announces the detection of a new mass mailing Internet-worm I-Worm.Goner. Reports of infection by this malicious program already have been reported in many countries throughout the world.
After this, "Goner" starts its spreading routine. To make it more effective, the worm uses two data-transmission channels simultaneously: e-mail and ICQ, the popular Internet-paging software. When spreading via e-mail, "Goner" gains access to Microsoft Outlook, creates a new message that contains an infected file, GONE.SCR, and unbeknownst to the user, sends it out to all the recipients from the Outlook address book. The distributed e-mail messages appear as follows:
After the e-mail spreading is finished, the worm consequently shows the following two windows:
"Goner" also tries to spread using ICQ. When active, it continuously traces the list of online ICQ users and regularly tries to send them the worm-carrier file. To conceal its unauthorized activity with ICQ, the worm permanently scans names of newly appeared dialogue boxes, and closes down those that are ICQ system messages.
In addition to spreading over the Internet, "Goner" also performs an attack on the #pentagonex IRC-channel. To accomplish this, the worm executes an additional script-program on the infected computer that regularly creates new members with random names on this channel. In some cases, this can overload the IRC channel and certainly annoys the IRC community.
Protection against "Goner" already has been added to the Kaspersky Anti-Virus daily update.
A more detailed description of the worm is available in the Kaspersky Anti-Virus Encyclopedia.