Elinor Mills Abreu & Bernhard Warner
SAN FRANCISCO/LONDON: A new computer worm named "Goner" was
spreading quickly through corporate and personal e-mail inboxes on Tuesday,
deleting system files and clogging networks in what could be the biggest
outbreak since last year's "Love Letter" virus, security software
vendors said.
"Goner is one of the most incredibly fast moving and potentially
dangerous e-mail viruses we've seen," said Mark Sunner, chief technology
officer of MessageLabs Inc.
Network Associates Inc. had seen several hundred thousand infections, said
Michael Callahan, director of marketing for the company's McAfee division.
"We're seeing a slight bump as Asia comes online," he said late in the
day.
The worm, a virus that propagates itself to other computers through the
Internet or other networks, is affecting users of Microsoft Corp.'s Outlook and
Outlook Express, said Ian Hameroff, business manager of security solutions at
Computer Associates International Inc. People using ICQ instant messenger and
Internet Relay Chat also are susceptible to the worm because files can be
transferred across those networks, Hameroff said.
Outlook 2002 users are not as impacted since it blocks potentially harmful
attachments by default and warns users when a program tries to access e-mail
addresses, according to Internet Security Systems Inc. The Goner worm arrives in
an attachment masquerading as a screen saver, with an e-mail subject line of
"Hi" and text that says: "How are you? When I saw this screen
saver, I immediately thought about you I am in a harry (sic), I promise you will
love it!" Once the attachment is clicked, the worm sends itself to everyone
in the user's e-mail address book, tries to close programs that are running and
deletes certain system files, including security software, said Hameroff.
Goner also tries to install a back door on machines that could turn them into
launch pads for denial of service attacks, said Symantec Corp. In denial of
service attacks malicious hackers remotely control multiple PCs, sometimes
thousands of them, ordering them to flood Web servers with so much traffic that
Web sites are effectively shut down to legitimate traffic.
"This is at outbreak status, which is very rare," said April
Goostree, virus research manager at McAfee.com. "The last outbreak we had
was 'Love Letter' in May 2000." A virus is given outbreak status by
McAfee.com if it is determined to be spreading quickly and affecting large
corporate networks as well as individual computer users, Goostree said. One of
the nastier aspects of the virus is its attempt to disable antivirus and
firewall software, so that victims have to reinstall the software in order to
prevent future infections, said Sunner of MessageLabs.
Spreading quickly in Europe, US
UK-based e-mail security outsourcer MessageLabs Inc. said it had been
receiving more than 100 copies of the worm a minute earlier in the day, totaling
about 42,000 worldwide since early Tuesday morning, with users in 17 countries
hit. Anti-virus software firm Trend Micro Inc. said it had recorded infections
in 17,000 work stations and 30,000 corporate e-mail accounts across Europe,
primarily in France, Germany and the United Kingdom.
The first report came from a French company on Tuesday afternoon, said
Raimund Genes, Trend Micro's European vice president of sales. The firm has
issued a "high risk" warning on Goner, the same rating it assigned
this summer's virulent Code Red worm. "I expect by tomorrow morning we will
see something in Asia, and then from Asia, we'll see re-infections in
Europe," Genes said.
The origin of the worm remained unclear. Trend Micro and McAfee.com said they
suspect it originated in France. But Mikko Hypponen, manager of anti-virus
research for Finland-based F-Secure, said he had his doubts, as the first
recorded infections came from the United States and South Africa.
Hypponen also said he thought it suspicious that some of the victims were ICQ
instant messenger and Internet Relay Chat users. "It's most likely written
by a teenager targeting other teenagers," he said. Experts cautioned people
against clicking on attachments from people they don't recognize, urged
corporations to block unnecessary attachments such as screen savers before they
get through the e-mail gateway.
© Reuters Limited