Goner Worm Not Goner Yet

The so-called "Goner" Internet worm was still infecting computers in the United States Wednesday, after wreaking havoc there and in Europe Tuesday, but was leaving Asia relatively unscathed, software security experts said.

After slowing down overnight, the worm was making a bit of a comeback, said Michael Callahan, director of marketing for Network Associates 's McAfee division.

The company's online scanning service Tuesday encountered a peak of 21,000 Goner worms per hour around 3 p.m. PST (6 p.m. EST/2300 GMT), he said.

After dropping sharply overnight, the number began picking up at 6 a.m. PST (9 a.m. EST/1400 GMT) Wednesday and spiked up to 36,000 per hour between 8 a.m. PST and 9 a.m. PST. It then dropped down the next hour to less than 3,000 and was rising to about 5,000 an hour later.

UK-based e-mail security outsourcer MessageLabs reported seeing a total of about 80,000 infections worldwide in 19 countries, with the United States, Great Britain, France and Germany hit the hardest, said Mark Sunner, chief technology officer.

The worm spreads through ICQ instant messaging and Internet Relay Chat programs, but primarily through e-mail software in Microsoft Outlook and Outlook Express, but not Outlook 2002.

The e-mail has an attachment masquerading as a screen saver that when opened up sends the worm to everyone in the e-mail address book, deletes anti-virus and firewall software and installs a back door that could enable future hacking, experts said.

The worm, a self-propagating virus, spread so quickly and widely Tuesday that some anti-virus vendors warned it could be the biggest outbreak since last year's "Love Letter" virus. That worm caused an estimated $8.7 billion in damage, according to Computer Economics, which tracks the economic toll of computer viruses.

While it was the No. 2 virus on Trend Micro 's worldwide virus outbreak map, second to Love Bug, it was third on Network Associates s' daily list and only seventh on McAfee.com's real-time virus map.

ASIA RELATIVELY SPARED

The worm heavily impacted corporate and home users in the United States and Europe, but countries in the Asia-Pacific region were much less affected, except in Australia, experts said.

"The worm didn't hit Asia as hard as most people expected it would," said April Goostree, virus research manager for McAfee.com.

Trend Micro officials in Asia attributed that partly to less use of Outlook, ICQ and IRC in that region, but Goostree and others said it was mostly due to timing.

Anti-virus "updates got out around the world and more or less beat the clock," said Ian Hameroff, business manager of security solutions at Computer Associates International

Europeans were still combating the worm Wednesday.

"It's still in the wild and it's still spreading," said Raimund Genes, European vice president of sales marketing for Trend Micro.

Trend Micro recorded 38,000 computer work stations and 80,000 e-mail networks around the world had been affected as of 0900 GMT, Genes said. One Trend Micro customer had to purge 50 infestations from its e-mail network per hour Wednesday morning, he added.

Experts said there were signs Goner's infestation was slowing, but that it was likely to persist into next week. An anti-virus consultant for Sophos Anti-Virus in the UK said it was likely that the number of Goner victims would be in the hundreds of thousands before it disappeared from view.

Anti-virus software firms hastily designed an antidote Tuesday to contain the worm. "It's not a complex one," Trend Micro's Genes said of Goner.

Security experts said Goner's uncomplicated coding and the fact it targeted some chat users led them to suspect the author was a teenager.

(Additional reporting by Reed Stevenson in Tokyo)

REUTERS

Copyright 2001 Reuters Limited. All rights reserved.

Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters.

Reuters shall be not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.