E-mail virus hits thousands of PCs

December 5, 2001

The "Goner" e-mail virus is sweeping through corporate and personal computers, forcing companies to take down e-mail networks and exposing the continued vulnerability of many computer systems.

Anti-virus officials estimated late Tuesday, the day the virus hit in full force, that thousands of computers in the U.S. were affected. The virus is launched when the user opens an attachment. Once launched, the virus replicates itself, sending e-mails with the same attachment to people in the victim's address book, and seeks to destroy certain files on the infected computer.

"Goner is one of the most incredibly fast moving and potentially dangerous e-mail viruses we've seen," said Mark Sunner, chief technology officer of MessageLabs Inc.

The virus, called a worm because it spreads to other computers through the Internet and other networks, often arrives from somebody the target knows, with the subject line "Hi." The e-mail's text reads: "How are you? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!"

Many companies and individuals struck by last year's "I Love You" virus have been trying to build electronic shields to prevent further attacks, but the quick spread of the virus Tuesday revealed that effort's shortcomings.

"It shows that really the state of the union hasn't improved very much," said Dave Dobrotka, head of an Ernst & Young group in Chicago that helps companies identify computer system vulnerabilities.

While some companies have gone to the extreme of eliminating all incoming attachments, more try to limit their virus vulnerability by detaching only certain types of files.

But Dobrotka said the battle is nearly always lost once an infected attachment gets through.

"Somebody's going to open it once it gets there," he said.

First reports about the "Goner" virus surfaced Monday and its transmission began to rapidly escalate Tuesday morning, rivaling the speed of "I Love You" and "Melissa" attacks.

One of the nastier aspects of the virus is its attempt to disable anti-virus and firewall software, so its victims have to reinstall the software in order to prevent future infections, said Sunner of MessageLabs.

Michael Callahan, director of marketing for anti-virus firm McAfee, a division of Network Associates, said the virus tries to delete applications when machines reboot, particularly computers with Windows 95 and Windows 98.

McAfee's VirusScan and Symantec's Norton AntiVirus are among the applications the virus attempts to delete.

"The virus writer obviously targeted the leaders in the industry as far as virus protection goes," Callahan said.

Like many of its predecessors, the new virus uses Microsoft Corp.'s popular Outlook and Outlook Express e-mail programs to spread itself.

But in a new twist, people using ICQ instant messenger and Internet Relay Chat also are susceptible to the worm because files can be transferred across those networks.

U.K.-based e-mail security outsourcer MessageLabs Inc. said it was receiving more than 100 copies of the worm a minute, totaling about 23,000 worldwide since early Tuesday morning, with users in 17 countries hit.

Anti-virus software firm Trend Micro Inc. said it had recorded infections in 17,000 workstations and 30,000 corporate e-mail accounts across Europe, primarily in France, Germany and the United Kingdom.

The origin of the worm remained unclear. Some anti-virus firms said they suspect it originated in France. But Mikko Hypponen, manager of anti-virus research for Finland-based F-Secure, said he had his doubts, as the first recorded infections came from the U.S. and South Africa.

Hypponen also said he thought it suspicious that some of the victims were ICQ and IRC users.

"It's most likely written by a teenager targeting other teenagers," he said.

Tribune wire services contributed to this report.