'Goner' computer worm not a goner yet

10.00 am

SAN FRANCISCO/LONDON - The so-called "Goner" internet worm was still infecting computers in the United States today, after wreaking havoc there and in Europe yesterday, but was leaving Asia relatively unscathed, software security experts said.

After slowing down overnight, the worm was making a bit of a comeback, said Michael Callahan, director of marketing for McAfee.com.

The company's online scanning service yesterday encountered a peak of 21,000 Goner worms per hour around 3 pm PST (noon Wednesday NZT) he said.

After dropping sharply overnight, the number began picking up at 6 am PST (3 am NZT) today and spiked up to 36,000 per hour between 8 am and 9 am. It then dropped down the next hour to less than 3,000 and was rising to about 5,000 an hour later.

Tim Wood, a director at internet service provider ihug, said the virus arrived in New Zealand on Tuesday and computer users should beware.

"This will be the third big one in the last three weeks and they are getting more devious and damaging," he said. "I presume it will be as bad as Badtrans. It has different side-effects, is hard to detect and is quite destructive.

Mr Wood recommends users update e-mail filter programs every week and change their dial-in password every 60 days or sign on to a screening service that will filter e-mails before they arrive.

"These precautions are now a fact of life, otherwise it's like walking out of the house and leaving the door open with a spray can on the table and 'paint me' on the wall," he said.

UK-based e-mail security outsourcer MessageLabs reported seeing a total of about 80,000 Goner infections worldwide in 19 countries, with the United States, Great Britain, France and Germany hit the hardest, said Mark Sunner, chief technology officer.

The worm spreads through ICQ instant messaging and internet Relay Chat programs, but primarily through e-mail software Microsoft Outlook and Outlook Express, but not Outlook 2002.

Users of other e-mail software are susceptible to the virus, but it will not disseminate further through their e-mail address books.

The e-mail has an attachment masquerading as a screen saver that when opened sends the worm to everyone in the e-mail address book, deletes anti-virus and firewall software and installs a back door that could enable future hacking, experts said.

The worm, a self-propagating virus, spread so quickly and widely yesterday that some anti-virus vendors warned it could be the biggest outbreak since last year's "Love Letter" virus. That worm caused an estimated $US8.7 billion in damage, according to Computer Economics, which tracks the economic toll of computer viruses.

While it was the No. 2 virus on Trend Micro's worldwide virus outbreak map, second to Love Bug, it was third on Network Associates' daily list and only seventh on McAfee.com's real-time virus map.

The worm heavily impacted corporate and home users in the United States and Europe, but countries in the Asia-Pacific region were much less affected, except in Australia, experts said.

"The worm didn't hit Asia as hard as most people expected it would," said April Goostree, virus research manager for McAfee.com.

Trend Micro officials in Asia attributed that partly to less use of Outlook, ICQ and IRC in that region, but Goostree and others said it was mostly due to timing.

Anti-virus "updates got out around the world and more or less beat the clock," said Ian Hameroff, business manager of security solutions at Computer Associates International.

Trend Micro recorded 38,000 computer work stations and 80,000 e-mail networks around the world had been affected as of 0900 GMT (10 pm NZT), Genes said. One Trend Micro customer had to purge 50 infestations from its e-mail network per hour on Wednesday morning, he added.

Experts said there were signs Goner's infestation was slowing, but that it was likely to persist into next week. An anti-virus consultant for Sophos Anti-Virus in the UK said it was likely that the number of Goner victims would be in the hundreds of thousands before it disappeared from view.

Anti-virus software firms hastily designed an antidote on Tuesday to contain the worm. "It's not a complex one," Trend Micro's Genes said of Goner.

Security experts said Goner's uncomplicated coding and the fact it targeted some chat users led them to suspect the author was a teenager.

- REUTERS

McAfee virus information library

Trend Micro virus information centre

Symantec security updates