Microsoft KB Archive/314002

= XGEN: Description of the W32.Goner.A@mm Virus and How to Clean an Exchange Environment =

Article ID: 314002

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q314002



SUMMARY
This article provides information about the W32.Goner.A@mm virus and how to clean an Exchange environment from an infection of this virus.



MORE INFORMATION
Win32.Goner.A@mm is a &quot;worm&quot; virus. It does not automatically run and only runs if a user opens the attachment named Gone.scr, GONE.SCR, or gone.scr. This virus poses a &quot;medium&quot; payload danger and &quot;high&quot; general risk to Exchange environments. The infection length of the virus is 38,912 bytes.

The subject and Text of the e-mail message is:

Subject of e-mail message: Hi

&quot;How are you ?

When I saw this screen saver, I immediately thought about you I am in a harry, promise you will love it!&quot;

The Gone.scr attachment is enclosed.

This virus propagates by sending itself to all of the users in the Microsoft Outlook Address Book. Therefore, the attachment does not automatically run when the user opens the message and the virus is not activated automatically when the virus message is selected and the Outlook preview pane is used to view the message. W32.Goner.A@mm is a mass-mailing worm that is written in Microsoft Visual Basic. The worm is also compressed by using a known file compressor. The worm can also spread its infection by using the ICQ and IRC networks.

When W32.Goner.A@mm is run, it begins by displaying an About window. The worm then starts to propagate itself by using the Outlook Address Book. The worm sends itself to all of the addresses that it can find.

The worm also adds a registry key called C:\ \gone.scr (where  is the path to the Windows\System folder). The key has the same value as the name and is located in the following registry path:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

For additional, detailed technical information, see your antivirus vendor's Web site.

General Recommendations
 Shut down all of the Internet gateways to stop the influx of the virus into your organization. Instruct Exchange users to install the Microsoft Outlook 2000 security patch on the client computers. You can download the patch from the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

 Clean up specific Exchange components. To obtain instructions for each component, see the &quot;Specific Instructions&quot; section of this article. Install the latest signature files from your antivirus vendor, which detect and clean the virus. To avoid re-infection, you must complete all of the preceding steps before you turn on your Internet gateways.

Specific Instructions
For detailed, specific information about how to clean up your Exchange organization, download the appropriate zip file by clicking one of the following links. Exchange 2000 Server and Exchange Server 5.5 have their own respective packages to download:  For Exchange 2000 Server:

Download W32goner2kNew.zip now

</li> For Exchange Server, version 5.5:

Download W32goner55new.zip now

</li></ul>

These packages contain complete and detailed instructions about how to clean up Exchange 2000 and Exchange Server 5.5 computers. This includes instructions about how to clean the information store, message transfer agent (MTA), and transport components.

Additional Links for Virus Information
All of the major antivirus vendors have signature files to detect and clean up this virus. Install the latest relevant update to ensure that you are protected. The following list contains some antivirus vendors' information: <ul> InoculateIT Engine Virus Signature Update Files:

Version 23.48.49 (Engine version 23.48.00)

</li> Vet Engine Virus Signature Update Files:

Vet signature will be 10.4.1678 (Detect only Engine version 10.4.1)

</li> Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files:

Version 30.49 (Engine version 30.00)

</li></ul>

To find additional detailed information, see your antivirus vendor's web site. For your convenience, some of these Web sites are listed:
 * Symantec:
 * http://www.symantec.com/
 * http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html
 * Network Associates/McAfee:
 * http://www.nai.com/
 * http://vil.nai.com/vil/virusSummary.asp?virus_k=99272
 * Computer Associates:
 * http://www.cheyenne.com/
 * http://www3.ca.com/Press/PressRelease.asp?id=1840

Helpful KB Articles
246916 XADM: How to Find Mailboxes That Contain a Specific Message

174197 XADM: Microsoft Exchange Mailbox Merge Program (Exmerge.exe)Information

Additional query words: Pentagone

Keywords: kbdownload kbhowto KB314002

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.