thejewell
December 5th, 2001, 02:38 AM
Tuesday December 4 9:34 PM ET
'Goner' Worm Hitting Corporate, Individual PCs
By Elinor Mills Abreu and Bernhard Warner
SAN FRANCISCO/LONDON (Reuters) - A new computer worm named ''Goner'' was spreading quickly through corporate and personal e-mail inboxes on Tuesday, deleting system files and clogging networks in what could be the biggest outbreak since last year's ``Love Letter'' virus, security software vendors said.
``Goner is one of the most incredibly fast moving and potentially dangerous e-mail viruses we've seen,'' said Mark Sunner, chief technology officer of MessageLabs Inc.
Network Associates Inc. had seen several hundred thousand infections, said Michael Callahan, director of marketing for the company's McAfee division.
``We're seeing a slight bump as Asia comes online,'' he said late in the day.
The worm, a virus that propagates itself to other computers through the Internet or other networks, is affecting users of Microsoft Corp.'s Outlook and Outlook Express, said Ian Hameroff, business manager of security solutions at Computer Associates International Inc.
People using ICQ instant messenger and Internet Relay Chat also are susceptible to the worm because files can be transferred across those networks, Hameroff said.
Outlook 2002 users are not as impacted since it blocks potentially harmful attachments by default and warns users when a program tries to access e-mail addresses, according to Internet Security Systems Inc.
The Goner worm arrives in an attachment masquerading as a screen saver, with an e-mail subject line of ``Hi'' and text that says: ``How are you? When I saw this screen saver, I immediately thought about you I am in a harry (sic), I promise you will love it!''
Once the attachment is clicked, the worm sends itself to everyone in the user's e-mail address book, tries to close programs that are running and deletes certain system files, including security software, said Hameroff.
Goner also tries to install a back door on machines which could turn them into launch pads for denial of service attacks, said Symantec Corp.
In denial of service attacks malicious hackers remotely control multiple PCs, sometimes thousands of them, ordering them to flood Web servers with so much traffic that Web sites are effectively shut down to legitimate traffic.
``This is at outbreak status, which is very rare,'' said April Goostree, virus research manager at McAfee.com. ``The last outbreak we had was 'Love Letter' in May 2000.''
A virus is given outbreak status by McAfee.com if it is determined to be spreading quickly and affecting large corporate networks as well as individual computer users, Goostree said.
One of the nastier aspects of the virus is its attempt to disable antivirus and firewall software, so that victims have to reinstall the software in order to prevent future infections, said Sunner of MessageLabs.
SPREADING QUICKLY IN EUROPE, US
UK-based e-mail security outsourcer MessageLabs Inc. said it had been receiving more than 100 copies of the worm a minute earlier in the day, totaling about 42,000 worldwide since early Tuesday morning, with users in 17 countries hit.
Anti-virus software firm Trend Micro Inc. said it had recorded infections in 17,000 work stations and 30,000 corporate e-mail accounts across Europe, primarily in France, Germany and the United Kingdom.
The first report came from a French company on Tuesday afternoon, said Raimund Genes, Trend Micro's European vice president of sales. The firm has issued a ``high risk'' warning on Goner, the same rating it assigned this summer's virulent Code Red worm
``I expect by tomorrow morning we will see something in Asia, and then from Asia, we'll see re-infections in Europe,'' Genes said.
The origin of the worm remained unclear. Trend Micro and McAfee.com said they suspect it originated in France. But Mikko Hypponen, manager of anti-virus research for Finland-based F-Secure, said he had his doubts, as the first recorded infections came from the United States and South Africa.
Hypponen also said he thought it suspicious that some of the victims were ICQ instant messenger and Internet Relay Chat users. ``It's most likely written by a teenager targeting other teenagers,'' he said.
Experts cautioned people against clicking on attachments from people they don't recognize, urged corporations to block unnecessary attachments such as screen savers before they get through the e-mail gateway.
'Goner' Worm Hitting Corporate, Individual PCs
By Elinor Mills Abreu and Bernhard Warner
SAN FRANCISCO/LONDON (Reuters) - A new computer worm named ''Goner'' was spreading quickly through corporate and personal e-mail inboxes on Tuesday, deleting system files and clogging networks in what could be the biggest outbreak since last year's ``Love Letter'' virus, security software vendors said.
``Goner is one of the most incredibly fast moving and potentially dangerous e-mail viruses we've seen,'' said Mark Sunner, chief technology officer of MessageLabs Inc.
Network Associates Inc. had seen several hundred thousand infections, said Michael Callahan, director of marketing for the company's McAfee division.
``We're seeing a slight bump as Asia comes online,'' he said late in the day.
The worm, a virus that propagates itself to other computers through the Internet or other networks, is affecting users of Microsoft Corp.'s Outlook and Outlook Express, said Ian Hameroff, business manager of security solutions at Computer Associates International Inc.
People using ICQ instant messenger and Internet Relay Chat also are susceptible to the worm because files can be transferred across those networks, Hameroff said.
Outlook 2002 users are not as impacted since it blocks potentially harmful attachments by default and warns users when a program tries to access e-mail addresses, according to Internet Security Systems Inc.
The Goner worm arrives in an attachment masquerading as a screen saver, with an e-mail subject line of ``Hi'' and text that says: ``How are you? When I saw this screen saver, I immediately thought about you I am in a harry (sic), I promise you will love it!''
Once the attachment is clicked, the worm sends itself to everyone in the user's e-mail address book, tries to close programs that are running and deletes certain system files, including security software, said Hameroff.
Goner also tries to install a back door on machines which could turn them into launch pads for denial of service attacks, said Symantec Corp.
In denial of service attacks malicious hackers remotely control multiple PCs, sometimes thousands of them, ordering them to flood Web servers with so much traffic that Web sites are effectively shut down to legitimate traffic.
``This is at outbreak status, which is very rare,'' said April Goostree, virus research manager at McAfee.com. ``The last outbreak we had was 'Love Letter' in May 2000.''
A virus is given outbreak status by McAfee.com if it is determined to be spreading quickly and affecting large corporate networks as well as individual computer users, Goostree said.
One of the nastier aspects of the virus is its attempt to disable antivirus and firewall software, so that victims have to reinstall the software in order to prevent future infections, said Sunner of MessageLabs.
SPREADING QUICKLY IN EUROPE, US
UK-based e-mail security outsourcer MessageLabs Inc. said it had been receiving more than 100 copies of the worm a minute earlier in the day, totaling about 42,000 worldwide since early Tuesday morning, with users in 17 countries hit.
Anti-virus software firm Trend Micro Inc. said it had recorded infections in 17,000 work stations and 30,000 corporate e-mail accounts across Europe, primarily in France, Germany and the United Kingdom.
The first report came from a French company on Tuesday afternoon, said Raimund Genes, Trend Micro's European vice president of sales. The firm has issued a ``high risk'' warning on Goner, the same rating it assigned this summer's virulent Code Red worm
``I expect by tomorrow morning we will see something in Asia, and then from Asia, we'll see re-infections in Europe,'' Genes said.
The origin of the worm remained unclear. Trend Micro and McAfee.com said they suspect it originated in France. But Mikko Hypponen, manager of anti-virus research for Finland-based F-Secure, said he had his doubts, as the first recorded infections came from the United States and South Africa.
Hypponen also said he thought it suspicious that some of the victims were ICQ instant messenger and Internet Relay Chat users. ``It's most likely written by a teenager targeting other teenagers,'' he said.
Experts cautioned people against clicking on attachments from people they don't recognize, urged corporations to block unnecessary attachments such as screen savers before they get through the e-mail gateway.