RE: Gokar Worm?

From: Matthew Reams (mreamsat_private)
Date: Thu Dec 13 2001 - 10:37:47 PST

Next message: Johannes B. Ullrich: "Re: Gokar Worm?"

Previous message: Jeremy G Byrne: "Gokar Worm?"
Maybe in reply to: Jeremy G Byrne: "Gokar Worm?"
Next in thread: Johannes B. Ullrich: "Re: Gokar Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Though I'm sure there'll be millions of replies...

http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.aat_private
tml

> -----Original Message-----
> From: Jeremy G Byrne [mailto:jeremyat_private] 
> Sent: Wednesday, December 12, 2001 11:52 PM
> To: incidentsat_private
> Subject: Gokar Worm?
> 
> 
> Hi All--
> 
> Just received a message cleaned by yahoogroups.com of
> something their NT-based "InterScan E-Mail VirusWall"
> product calls "WORM_GOKAR.A". The social engineering
> aspect of the carrier email is quite disturbing:
> 
> >Subject: You just take a giant step, one step higher.
> [...]
> >Hey
> >They say love is blind ... well, the attachment probably
> >proves it. Pretty good either way though, isn't it ?
> >[PSEUDO NYM]
> 
> (where [PSEUDO NYM] is the name of the person from whose 
> account the email originates--which the worm must somehow be 
> harvesting from extant email).
> 
> The attachment had been replaced by yahoogroups' filters
> with the following message:
> 
> >--
> 
> ****** Message from InterScan E-Mail VirusWall NT ******
> 
> ** WARNING! Attached file 
> y343rvy343rvy343rv28835589575y343rv.pif contains:
> 
>      WORM_GOKAR.A virus
> 
>    Attempted to clean the file but it is not cleanable.
>    It has been deleted.
> *****************     End of message     ***************
> 
> >--
> 
> The really odd thing is that I can't find any references
> to a "Gokar Worm" on google, google's usenet mirror, or
> on several specialist av sites I've checked. Is this a 
> case of commercial non-disclosure?
> 
> CYa,
> JEREMY
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johannes B. Ullrich: "Re: Gokar Worm?"
Previous message: Jeremy G Byrne: "Gokar Worm?"
Maybe in reply to: Jeremy G Byrne: "Gokar Worm?"
Next in thread: Johannes B. Ullrich: "Re: Gokar Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 10:45:40 PST