Yet another Outlook Express/Windows virus:

How are you ?
When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it!

http://news.cnet.com/news/0-1003-200-8065378.html?tag=tp_pr

It's hit Australia.

http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html

Goner is a script kiddie-inspired worm that disables firewalls, antivirus
A fast-spreading worm that looks like a malicious user Web-site defacement could also disable your antivirus and firewall protection.

By Robert Vamosi, ZDNet Reviews


Let there be no doubt that script kiddies--inexperienced malicious programmers--have taken up the once lowly skill of virus writing. Goner's (w32.Goner.A@mm) pop-up displays look like a typical script kiddie Web-site defacement, complete with the typical script kiddie "greetz." Besides spreading rapidly by e-mail, and therefore posing a threat to e-mail servers, Goner spreads via ICQ and also shuts down antivirus and firewall protection, leaving your Windows computer vulnerable to other attacks. Because it deletes files, Goner ranks a 7 on the ZDNet Virus Meter.

How it works
Goner arrives by ICQ or e-mail bearing a subject line of "Hi" with the body text of "How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!" The attached file is gone.scr.

The payload of Goner is written in Visual Basic 6, packed with a UPX file compressor, and is 39KB in size. If executed, the worm makes copies of itself in the Windows System directory under the name gone.scr. It also adds itself to the Registry so that it executes each time the computer reboots.

Goner uses the Outbook Address Book to find addresses to send e-mail copies of itself. If ICQ, a favorite program of script kiddies, is also present on the infected computer, Goner will attempt to spread copies of itself through that service as well.

Besides displaying a message taking credit for the worm--"Pentagone coded by: suid tested by: ThE_SkuLL and Isatanl"--and a traditional script kiddie greetz--"greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are"--this worm also displays a fake error message

Goner disables antivirus and firewall protection by attempting to delete the following files:


aplica32.exe
zonealarm.exe
esafe.exe
cfiadmin.exe
cfiaudit.exe
cfinet32.exe
pcfwallicon.exe
frw.exe
vshwin32.exe
vsecomr.exe
webscanx.exe
avconsol.exe
vsstat.exe
pw32.exe
vw32.exe
vp32.exe
vpcc.exe
vpm.exe
avp32.exe
avpcc.exe
avpm.exe
avp.exe
lockdown2000.exe
icload95.exe
icmon.exe
icsupp95.exe
icloadnt.exe
icsuppnt.exe
tds2-98.exe
tds2-nt.exe
safeweb.exe
If Goner can't delete the files immediately, it will create a WININIT.INI file to delete the files upon reboot.

Removal
Most of the antivirus software companies have updated their signature files to include this worm. For more information on removing this Goner from your system, see Central Command, F-Secure, Kaspersky, McAfee, Sophos, Symantec, and Trend Micro.

Also known as "pentagone"
http://htmlforums.com/showthread.php?threadid=9247

whoops! Just posting in a hurry!

it hit my sisters work pretty hard.

http://www.mcafee.com/anti-virus/viruses/goner/default.asp?cid=2636

Manual Removal Instructions
WINDOWS 95/98/ME
Restart Windows in Safe Mode (reboot your computer, just before the large WINDOWS startup screen comes up, hit the F5 key). You can recognize that you're in Safe Mode by the text Safe Mode in the 4 corners of the desktop.
Click START | FIND | Files or Folders ...
Type Gone.scr and hit ENTER
Delete GONE.SCR (if present)
Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on the keyboard
Restart the computer
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

also want to add to my post above, that if you do that what it says it will come back. it seems that Mcafee forgot to let us know that it is in the registery twice. so first do that above, then search for pentagone and delete that one too. that should take care of it. I found out that hard way :)