Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Gokar Worm?

From: Jeremy G Byrne <jeremy () cygnus uwa edu au>
Date: Thu, 13 Dec 2001 12:52:25 +0800
Hi All--

Just received a message cleaned by yahoogroups.com of
something their NT-based "InterScan E-Mail VirusWall"
product calls "WORM_GOKAR.A". The social engineering
aspect of the carrier email is quite disturbing:


Subject: You just take a giant step, one step higher.

[...]

Hey
They say love is blind ... well, the attachment probably 
proves it. Pretty good either way though, isn't it ?
[PSEUDO NYM]


(where [PSEUDO NYM] is the name of the person from whose
account the email originates--which the worm must somehow
be harvesting from extant email).

The attachment had been replaced by yahoogroups' filters
with the following message:


--


****** Message from InterScan E-Mail VirusWall NT ******

** WARNING! Attached file y343rvy343rvy343rv28835589575y343rv.pif contains:

     WORM_GOKAR.A virus

   Attempted to clean the file but it is not cleanable.
   It has been deleted.
*****************     End of message     ***************


--


The really odd thing is that I can't find any references
to a "Gokar Worm" on google, google's usenet mirror, or
on several specialist av sites I've checked. Is this a 
case of commercial non-disclosure?

CYa,
JEREMY


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: