Why did the Goner e-mail virus cause such havoc?

The latest virus attack infected more e-mails than any other virus except Love Bug. Yet, as Bill Goodwin finds out, it was not technically innovative 

Businesses have been warned to expect a wave of e-mail viruses in the wake of the Goner virus which struck organisations around the world last week. 

Goner, described by some experts as the most virulent virus since Love Bug, spread worldwide in a matter of hours on 4 December, causing e-mail systems to become congested and damaging unprotected systems. 

"This one has really hit businesses hard," said Alex Shipp, virus technologist at Message Labs. "When the Love Bug struck, one in 20 e-mails were infected. With Goner it was one in 30. We have only had one other virus that infected more than one in 100 e-mails." 

Experts warned employers to expect a wave of copycat viruses over the coming weeks as virus writers take advantage of the Christmas season to hide malicious code in Christmas cards, jokes and screensavers. 

"Now is a good time to reinforce to your office that sending things like that has dangerous consequences," said Graham Cluley, virus technologist at Sophos. 

"A lot of people are getting into the habit of sending joke e-mails and screensavers. These present a danger because jokes can be accidentally infected with a virus and if you have an attitude that exchanging jokes is acceptable, virus writers will exploit that," he said. 

The fact that the Goner virus, also known as Pentagone, was able to spread so rapidly has raised questions about the adequacy of the anti-virus defences that companies have put in place. 

The virus could easily have been prevented, for instance, by blocking incoming e-mail attachments with a screensaver or .scs extension, a file type that has few, if any, legitimate business uses. 

More significantly, it shows that companies still have some way to go in educating their staff to react cautiously to unsolicited e-mail attachments, said Sal Viveros, marketing director at anti-virus firm McAfee. 

The lesson to be learnt is the same for all of these e-mail viruses, he said, "If an e-mail you are not expecting is sent to you and it has an attachment don't open it." 

Goner had an unpleasant pay-load for the companies that were infected. The virus is designed to identify and remove anti-virus software from the PCs it infects. It also attacks personal firewall software, leaving PCs open to hacking or denial of service attacks. 

"If you are running an old version of your anti-virus [software] when you receive Goner, that's rather nasty because not only do you catch this virus but you are vulnerable to other viruses as well. You might think you were immune to Kakworm and Sircam, but you're not," said Cluley. 

Repairing the virus damage could prove expensive for organisations that find their systems infected. The clean-up and damage costs could exceed the $8.75bn attributed to the more virulent Love Bug virus which struck in 2000, experts believe. In some cases, companies will be forced to re-install anti-virus software on infected machines manually. 

"You need to reinstall your anti-virus software and patch on the new virus software. That can be quite tricky. If you install your anti-virus software while the virus is still running, it is going to remove the software as you install it. The only recommendation is to visit your anti-virus supplier's Web site and follow its instructions," said Shipp.