Well, it got my place of employment because stupid people don't know not to open random E-mail attachments. So now our exchange server is down and we have to re-image a bunch of PC's. I guess that's just job security for me since I work in PC Support.
Aliases: GONE.A, WORM_GONER.A Description: This Worm is a Visual Basic-compiled Windows executable, which propagates copies of itself via email using Microsoft Outlook and via ICQ. It finds certain files in memory and then terminates the processes of these found files. Thereafter, it executes a destructive payload of deleting files. The Worm: This worm arrives via email as the attachment GONE.SCR. The file is packed using the UPX packer program and is compiled using Visual Basic. The email details in which this Worm arrives are as follows: Subject: Hi Message Body: How are you ? When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it! Attachment: GONE.SCR It creates an Outlook Application Object, and uses MAPI script commands to create and send bogus emails to all recipients in the infected user's address book. Thereafter, it deletes these bogus emails. When executed, it displays a window containing the following: pentagone coded by: suid texted by: ThE_SKuLL and |satan| greetings to: TraceWar, k9_unit, stef16 ^Reno greetings also to nonick2 out there where ever you are It also uses the mIRC application to install a backdoor. It creates a REMOTE.INI file, which contains a script that loads everytime the mIRC application is started. The Worm author can then use this Worm extension to start Denial of Service (DOS) attacks on IRC channels and/or users connected to the same IRC channel as the infected user. The Worm also propagates via the ICQ chat application. It uses the ICQAPI to send a copy of itself to ICQ users. The Payload: The Worm contains a destructive payload, which runs through all running processes in memory. It terminates from memory any running process associated with the following filenames: * IAMAPP.EXE * IAMSERV.EXE * CFINET.EXE * APLICA32.EXE * ZONEALARM.EXE * ESAFE.EXE * CFIADMIN.EXE * CFIAUDIT.EXE * CFINET32.EXE * PCFWALLICON.EXE * FRW.EXE * VSHWIN32.EXE * VSECOMR.EXE * WEBSCANX.EXE * AVCONSOL.EXE * VSSTAT.EXE * NAVAPW32.EXE * NAVW32.EXE * _AVP32.EXE * _AVPCC.EXE * _AVPM.EXE * AVP32.EXE * AVPCC.EXE * AVPM.EXE * AVP.EXE * ICLOAD95.EXE * ICMON.EXE * ICSUPP95.EXE * ICLOADNT.EXE * ICSUPPNT.EXE * TDS2-98.EXE * TDS2-NT.EXE * SAFEWEB.EXE After terminating the files, it deletes these files including all the other files found in the directory where it found any of these files. This effectively disables the applications, preventing the files from functioning properly. The Stealth Routine: The main windows of the Worm bears the name, "pentagone." On Windows 9x, it registers itself as a service process not visible on the Task List. Despite its invisibility on the Task List, the Outlook Application Object that it opens is visible on the Task List. To further prevent detection, it creates an entry in the WININIT.INI file with instructions that delete its currently running copy.