'Goner' Worm Outbreak Spurs Anti-Virus Updates

‘Goner’ Worm Outbreak Spurs Anti-Virus Updates

By JOSEPH MENN

Dec. 5, 2001 12 AM PT

TIMES STAFF WRITER

A computer worm posing as a screen saver infected tens of thousands of machines worldwide Tuesday in one of the worst outbreaks in more than a year, and it may be connected to a successful denial-of-service attack on the Computer Emergency Response Team Coordination Center.

The program, known as “Goner,” spreads mainly through the Microsoft Outlook e-mail system as a message from someone the recipient knows.

The message says its attachment is a screen saver, but when opened, the file takes control of the machine, deleting anti-virus software and resending itself to names in the user’s Outlook address book.

The worm is more pernicious than those used in similar e-mail infections because it manipulates other communications programs as well, including the ICQ instant-messaging service and Internet Relay Chat, which can be rigged to launch denial-of-service attacks.

CERT, the top federally funded security information clearinghouse at Carnegie Mellon University, may have been one of the first targets of Goner’s denial-of-service attack. CERT’s Web pages were knocked out late Tuesday after it posted a warning on the worm.

In a brief statement, the facility said it was “currently undergoing a denial of service attack. All critical CERT/CC functions remain operational. Incident and vulnerability reports are being processed and advisories will be issued if needed.”

CERT is attacked often, but it usually prevails. In May, it was knocked out sporadically over several days.

If CERT was targeted by the same hackers who released the Goner worm, their overall strategy was more extensive than in previous viruses or in denial-of-service attacks.

The strategy would fit with the worm’s deletion of anti-virus programs and security firewalls.

“This is an anti-virus virus,” said David Perry of security company Trend Micro Inc., which recorded infections in 17,000 work stations and 30,000 corporate e-mail accounts across Europe.

McAfee, a division of Network Associates Inc., placed Goner on “outbreak” status. The last virus with that status was the “Love Letter,” which attacked more than a year ago and caused billions of dollars in damage worldwide.

“It’s moving extremely quickly,” said McAfee researcher April Goostree.

Anti-virus companies received the first samples of Goner from Europe, particularly France and Germany. By Tuesday afternoon, several major anti-virus companies, including McAfee and Symantec, had released updates so their software could detect Goner.

Symantec had received more than 1,000 reports of worm infections, each representing anywhere from a single user to an entire firm.

Computer experts advise that people not open unexpected e-mail attachments, even if the sender is familiar. Users should update their anti-virus software at least weekly.

In recent months, more worms have been attempting to install either “back doors” that allow the worm authors to access machines or to launch denial-of-service attacks, which flood Web page servers with so many requests for information that they are rendered inoperable. The “Code Red” virus used that gambit to launch a denial-of-service attack on the White House Web pages but failed to shut them down.

The collapse of CERT’s pages “shows any Web page can be taken down by an adversary that really wants it to happen,” said SecurityFocus.com Chief Technology Officer Elias Levy.

Times staff writer Dave Wilson and Reuters and the Associated Press contributed to this report.