Jeremy G Byrne <jeremyat_private> wrote: > Just received a message cleaned by yahoogroups.com of > something their NT-based "InterScan E-Mail VirusWall" > product calls "WORM_GOKAR.A". The social engineering > aspect of the carrier email is quite disturbing: > > >Subject: You just take a giant step, one step higher. > [...] > >Hey > >They say love is blind ... well, the attachment probably > >proves it. Pretty good either way though, isn't it ? The message and body are randomly selected from large lists of such things in the virus -- if anyone was thinking of setting up filters on the preceding, save yourself the bother... > >[PSEUDO NYM] > > (where [PSEUDO NYM] is the name of the person from whose > account the email originates--which the worm must somehow > be harvesting from extant email). No. It simply pulls some registry settings, just like Outlook does itself. Nothing clever, sophisticated or particularly worrying about it... > The really odd thing is that I can't find any references > to a "Gokar Worm" on google, google's usenet mirror, or > on several specialist av sites I've checked. Is this a > case of commercial non-disclosure? Twaddle. You just happened to be one of the earlier (potential) victims to see it. By the time you got that report from Yahoo, most developers had samples and would have been rolling (or had already posted) their DAT/DEF/etc updates. With simple things like Gokar, that can happen way faster than the web sites get updated. A few hours after you posted your note (assuming the timestamp is correct) at least the following AV web pages describing Gokar existed: http://www3.ca.com/Virus/Virus.asp?ID=10606 http://vil.nai.com/vil/virusSummary.asp?virus_k=99282 http://www.sarc.com/avcenter/venc/data/w32.gokar.aat_private http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GOKAR.A I'm sure a few of the "obvious exceptions" have added their own descriptions by now too... Finally, why send this to incidents rather than focus-virus? Run of the mill viruses are not "security incidents", and receiving a pseudo-cryptic "virus detected" message from your webmail provider is certainly not a security incident. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 13:45:08 PST