Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

XGEN: Description of the W32.Goner.A@mm Virus and How to Clean an Exchange Environment


View products that this article applies to.

This article was previously published under Q314002

↑ Back to the top


Summary

This article provides information about the W32.Goner.A@mm virus and how to clean an Exchange environment from an infection of this virus.

↑ Back to the top


More information

Win32.Goner.A@mm is a "worm" virus. It does not automatically run and only runs if a user opens the attachment named Gone.scr, GONE.SCR, or gone.scr. This virus poses a "medium" payload danger and "high" general risk to Exchange environments. The infection length of the virus is 38,912 bytes.

The subject and Text of the e-mail message is:
Subject of e-mail message: Hi

"How are you ?

When I saw this screen saver, I immediately thought about you I am in a harry, promise you will love it!"
The Gone.scr attachment is enclosed.

This virus propagates by sending itself to all of the users in the Microsoft Outlook Address Book. Therefore, the attachment does not automatically run when the user opens the message and the virus is not activated automatically when the virus message is selected and the Outlook preview pane is used to view the message. W32.Goner.A@mm is a mass-mailing worm that is written in Microsoft Visual Basic. The worm is also compressed by using a known file compressor. The worm can also spread its infection by using the ICQ and IRC networks.

When W32.Goner.A@mm is run, it begins by displaying an About window. The worm then starts to propagate itself by using the Outlook Address Book. The worm sends itself to all of the addresses that it can find.

The worm also adds a registry key called C:\system\gone.scr (where system is the path to the Windows\System folder). The key has the same value as the name and is located in the following registry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
For additional, detailed technical information, see your antivirus vendor's Web site.

How to Clean Your Exchange Environment

General Recommendations

  1. Shut down all of the Internet gateways to stop the influx of the virus into your organization.
  2. Instruct Exchange users to install the Microsoft Outlook 2000 security patch on the client computers. You can download the patch from the following Microsoft Web site:
  3. Clean up specific Exchange components. To obtain instructions for each component, see the "Specific Instructions" section of this article.
  4. Install the latest signature files from your antivirus vendor, which detect and clean the virus.
  5. To avoid re-infection, you must complete all of the preceding steps before you turn on your Internet gateways.
These packages contain complete and detailed instructions about how to clean up Exchange 2000 and Exchange Server 5.5 computers. This includes instructions about how to clean the information store, message transfer agent (MTA), and transport components.

Additional Links for Virus Information

All of the major antivirus vendors have signature files to detect and clean up this virus. Install the latest relevant update to ensure that you are protected. The following list contains some antivirus vendors' information:
  • InoculateIT Engine Virus Signature Update Files:
    Version 23.48.49 (Engine version 23.48.00)
  • Vet Engine Virus Signature Update Files:
    Vet signature will be 10.4.1678 (Detect only Engine version 10.4.1)
  • Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files:
    Version 30.49 (Engine version 30.00)
To find additional detailed information, see your antivirus vendor's web site. For your convenience, some of these Web sites are listed:

Helpful KB Articles

246916� XADM: How to Find Mailboxes That Contain a Specific Message
174197� XADM: Microsoft Exchange Mailbox Merge Program (Exmerge.exe)Information

↑ Back to the top


Keywords: KB314002, kbhowto, kbdownload

↑ Back to the top

Article Info
Article ID : 314002
Revision : 8
Created on : 2/27/2007
Published on : 2/27/2007
Exists online : False
Views : 408