Win32.Goner.A@mm is a "worm" virus. It does not
automatically run and only runs if a user opens the attachment named Gone.scr,
GONE.SCR, or gone.scr. This virus poses a "medium" payload danger and "high"
general risk to Exchange environments. The infection length of the virus is
38,912 bytes.
The subject and Text of the e-mail message is:
Subject of e-mail message: Hi
"How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, promise you will love it!"
The Gone.scr attachment is enclosed.
This virus
propagates by sending itself to all of the users in the Microsoft Outlook
Address Book. Therefore, the attachment does not automatically run when the
user opens the message and the virus is not activated automatically when the
virus message is selected and the Outlook preview pane is used to view the
message. W32.Goner.A@mm is a mass-mailing worm that is written in Microsoft
Visual Basic. The worm is also compressed by using a known file compressor. The
worm can also spread its infection by using the ICQ and IRC networks.
When W32.Goner.A@mm is run, it begins by displaying an About window. The worm
then starts to propagate itself by using the Outlook Address Book. The worm
sends itself to all of the addresses that it can find.
The worm also
adds a registry key called
C:\system\gone.scr (where
system is the path to the
Windows\System folder). The key has the same value as the name and is located
in the following registry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
For additional, detailed technical information, see
your antivirus vendor's Web site.
How to Clean Your Exchange Environment
General Recommendations
- Shut down all of the Internet gateways to stop the influx
of the virus into your organization.
- Instruct Exchange users to install the Microsoft Outlook
2000 security patch on the client computers. You can download the patch from
the following Microsoft Web site:
- Clean up specific Exchange components. To obtain
instructions for each component, see the "Specific Instructions" section of
this article.
- Install the latest signature files from your antivirus
vendor, which detect and clean the virus.
- To avoid re-infection, you must complete all of the
preceding steps before you turn on your Internet gateways.
These packages contain complete and detailed instructions
about how to clean up Exchange 2000 and Exchange Server 5.5 computers. This
includes instructions about how to clean the information store, message
transfer agent (MTA), and transport components.
Additional Links for Virus Information
All of the major antivirus vendors have signature files to detect
and clean up this virus. Install the latest relevant update to ensure that you
are protected. The following list contains some antivirus vendors' information:
- InoculateIT Engine Virus Signature Update Files:
Version 23.48.49 (Engine version 23.48.00)
- Vet Engine Virus Signature Update Files:
Vet signature will be 10.4.1678 (Detect only Engine version 10.4.1)
- Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files:
Version 30.49 (Engine version 30.00)
To find additional detailed information, see your antivirus
vendor's web site. For your convenience, some of these Web sites are listed:
- Symantec:
- Network Associates/McAfee:
- Computer Associates:
Helpful KB Articles
246916�
XADM: How to Find Mailboxes That Contain a Specific Message
174197�
XADM: Microsoft Exchange Mailbox Merge Program (Exmerge.exe)Information