The following has been derived from information provided by F-Secure, Kaspersky Labs and Norman.

Virus Characteristics

The worm arrives in the form of an email with the following characteristics:

Subject: "Hi"

Body:
"How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!"

Attachment: GONE.SCR

Upon execution the worm displays a small animated picture followed by an error message. It then attempts to mail itself to all addresses found in the Outlook address book.

The worm copies itself to the Windows system directory under the name GONE.SCR and adds an entry under the following registry key to allow it to run at start up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm also attempts to spread by sending itself to the user's on-line contacts through ICQ. It also copies a number of scripts into the mIRC client directory which can be used to flood Internet Relay Chat channels.

It looks for a number of processes of popular anti-virus and security applications and attempts to terminate them. It then attempts to delete the files for these processes. If these can not be deleted, the worm creates a WININIT.INI file which is used to delete the files at next start up.


Payload

Potential for increased email activity in corporate messaging environments. The worm has the potential to delete critical files for security and anti-virus software.


Preventative Measures

Block messages with the following attachment names at the messaging gateway where possible:

Attachment name: GONE.SCR


Fixes Available

Network Associates: No information at time of alert
Symantec: No information at time of alert
Trend: Pattern 177 pending release