Why did the Goner e-mail virus cause such havoc?

The latest virus attack infected more e-mails than any other virus except Love Bug. Yet, as Bill Goodwin finds out, it was not...

The latest virus attack infected more e-mails than any other virus except Love Bug. Yet, as Bill Goodwin finds out, it was not technically innovative

Businesses have been warned to expect a wave of e-mail viruses in the wake of the Goner virus which struck organisations around the world last week.

Goner, described by some experts as the most virulent virus since Love Bug, spread worldwide in a matter of hours on 4 December, causing e-mail systems to become congested and damaging unprotected systems.

"This one has really hit businesses hard," said Alex Shipp, virus technologist at Message Labs. "When the Love Bug struck, one in 20 e-mails were infected. With Goner it was one in 30. We have only had one other virus that infected more than one in 100 e-mails."

Experts warned employers to expect a wave of copycat viruses over the coming weeks as virus writers take advantage of the Christmas season to hide malicious code in Christmas cards, jokes and screensavers.

"Now is a good time to reinforce to your office that sending things like that has dangerous consequences," said Graham Cluley, virus technologist at Sophos.

"A lot of people are getting into the habit of sending joke e-mails and screensavers. These present a danger because jokes can be accidentally infected with a virus and if you have an attitude that exchanging jokes is acceptable, virus writers will exploit that," he said.

The fact that the Goner virus, also known as Pentagone, was able to spread so rapidly has raised questions about the adequacy of the anti-virus defences that companies have put in place.

The virus could easily have been prevented, for instance, by blocking incoming e-mail attachments with a screensaver or .scs extension, a file type that has few, if any, legitimate business uses.

More significantly, it shows that companies still have some way to go in educating their staff to react cautiously to unsolicited e-mail attachments, said Sal Viveros, marketing director at anti-virus firm McAfee.

The lesson to be learnt is the same for all of these e-mail viruses, he said, "If an e-mail you are not expecting is sent to you and it has an attachment don't open it."

Goner had an unpleasant pay-load for the companies that were infected. The virus is designed to identify and remove anti-virus software from the PCs it infects. It also attacks personal firewall software, leaving PCs open to hacking or denial of service attacks.

"If you are running an old version of your anti-virus [software] when you receive Goner, that's rather nasty because not only do you catch this virus but you are vulnerable to other viruses as well. You might think you were immune to Kakworm and Sircam, but you're not," said Cluley.

Repairing the virus damage could prove expensive for organisations that find their systems infected. The clean-up and damage costs could exceed the $8.75bn attributed to the more virulent Love Bug virus which struck in 2000, experts believe. In some cases, companies will be forced to re-install anti-virus software on infected machines manually.

"You need to reinstall your anti-virus software and patch on the new virus software. That can be quite tricky. If you install your anti-virus software while the virus is still running, it is going to remove the software as you install it. The only recommendation is to visit your anti-virus supplier's Web site and follow its instructions," said Shipp.

Despite its ranking as one of the most prolific e-mail viruses, the technology behind Goner is not particularly innovative:

    • The program was written in compiled Visual Basic and did not call for much programming skill

    • It made no attempt to disguise itself by using random file names or e-mail subject headers

  • It was able to spread rapidly, because, unlike the Love Bug virus, which struck once, Goner continually e-mailed copies of itself to every contact in the Outlook address books of infected machines. Further copies were sent through the IRC and IRQ Internet discussion channels.

"It had a really big lucky break in timing. It managed to reach a critical mass before the anti-virus companies released new anti-virus signatures," said Shipp.

In future, the anti-virus software suppliers may have to rethink their strategy and publish new signatures earlier, Shipp suggested.

"My guess is that a lot of [the suppliers] could have released a signature much earlier just to stop the virus and release another one later to do the clean-up," said Shipp. "They don't do that because it is not acceptable to their customers. In the light of Goner, [suppliers] may rethink that."

Goner is just the latest example of a problem that is growing at an incredible rate. With virus attacks threatening to reach a peak over the Christmas holidays, now is a good time for companies to re-evaluate their anti-virus policies.

Read more on Antivirus, firewall and IDS products