This look at the latest viruses making the cyber-rounds is provided by the Lab's Computer Protection Program. The viruses described below are all being blocked by the Lab's "VirusWall," which scans all incoming email with "lbl.gov" addresses for viruses. Employees who maintain their own Lab email servers should check to ensure that these systems have updated antivirus software.

Goner

This worm spread extremely quickly on December 4 and has been tapering off as people update their antivirus software to detect and destroy it. It only affects Microsoft Windows systems. The worm does not damage the system or files, however it will attempt to disable antivirus software, including Norton Antivirus. It may also attempt to flood certain IRC chat channels from the infected computer. It spreads by mailing itself to everyone in the Windows Address Book or through ICQ chat sessions.

Identifying marks:
Subject: "Hi"
Message: "How are you? When I saw this screen saver, i immediately thought of you. I am in a harry, I promise you will love it!"
Attachment: "gone.scr"

Removal:
Use the Norton removal tool by following these instructions.

Be sure to uninstall and reinstall Norton Antivirus as per the instructions once the infection has been purged.

More information.

*******************

Gokar

This worm appeared on December 12 and has been spreading quickly. It only affects Microsoft Windows systems. The worm does not damage the system or files. It spreads by mailing itself to everyone in Windows Address Book, through ICQ chat sessions, or through a modified Web page. In the latter case, if the worm infects a computer running the IIS Web server, it will modify the home page to include link allowing website visitors to download a copy of WEB.EXE.

Identifying marks:

Subject: One of the following,

• "If I were God and didn't belive in myself would it be blasphemy"
  
• "The A-Team VS KnightRider ... who would win ?"
  
• "Just one kiss, will make it better. just one kiss, and we will be alright."
  
• "I can't help this longing, comfort me."
  
• "And I miss you most of all, my darling ..."
  
• "... When autumn leaves start to fall"
• "It's dark in here, you can feel it all around. The underground."
  
• "I will always be with you sometimes black sometimes white ..."

Message: One of the following,
* "Happy Birthday Yeah ok, so it's not yours it's mine :) still cause for a celebration though, check out the details I attached"

* "Hey They say love is blind ... well, the attachment probably proves it. Pretty good either way though, isn't it ?"

* "You should like this, it could have been made for you speak to you later"

Attachment: A random file name starting with a number followed by a bunch of nonsense letters and numbers. The attachment may be a .pif, .scr, .exe, .com, or .bat file.

On an infected computer the file "Karen.exe" will exist in the Windows directory.

Removal:
Follow these removal instructions.

******************

Other recent worms to avoid:

ZACKER Worm
Subject: Your Friend <sender's name> Good Luck
Attachment: LucKey.exe

FUNDLL Worm
Subject: Funny...Funny...Funny...stories
Attachment: funnystories.txt.vbs

PAUKOR Worm
Attachment: Files.exe

UPDATR Worm
Subject: A combination of the following words and phrases into a plausible sentence:
Have you, You Should, Just, Why Not you, How to, Re:, Fwd :, Check, Check out, Watch out, Open, Look at, this, my, For this, The, Picture, Program, Patch, Nude pic, Report, Documment, Quotation, Transaction, Bank Account, WTC Tragedy, Osama Vs Bush, Account, Private Pic

Possible attachments: Setup.exe, install.exe, Readme.exe, Files.exe, Picture.exe, Quotation.Doc.exe, letter.doc.exe or Picture.jpg.exe