Be careful with e-mailed holiday screensavers, peeps. A nasty little worm is working it's way around and wreaking havoc today.
WORM_GONE.A
In the wild: Yes
Payload 1: Displays Message
Trigger condition 1: Upon execution
Discovered: 1 hour 59 minutes ago
(December 4, 2001 6:40:00 AM GMT -0800)
Language: English
Platform: Windows
Encrypted: No
Size of virus: 38,912 Bytes
Details:
This worm arrives via email as the attachment GONE.SCR. The file is packed using the UPX packer program and is compiled using Visual Basic.
The email details in which this Worm arrives are as follows:
Subject: Hi
Message Body: How are you ?
When I saw this screensaver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
When executed, it displays a window containing the following:
pentagone
coded by: suid
texted by: ThE_SKuLL and |satan|
greetings to: TraceWar. k9_unit, stef16 ^Reno
greetings also to nonick2 out
there where ever you are
It then copies the worm file to a %System%\GONE.SCR file. It creates the following registry key to auto-execute the copy file
everytime Windows is restarted:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run\%System%\gone.scr = %System%\gone.scr
It also uses the mIRC application to install a backdoor. It creates
a REMOTE.INI file, which contains a script that loads everytime
the mIRC application is started.
(I could give you my employee number for credit, but I still, and probably always will, owe the people of Techimo! 
)
Linear Mode
