Security Incidents mailing list archives

RE: Gokar Worm?

From: "Matthew Reams" <mreams () intelixinc com>
Date: Thu, 13 Dec 2001 13:37:47 -0500

Though I'm sure there'll be millions of replies...

http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.a@mm.h
tml

-----Original Message-----
From: Jeremy G Byrne [mailto:jeremy () cygnus uwa edu au] 
Sent: Wednesday, December 12, 2001 11:52 PM
To: incidents () securityfocus com
Subject: Gokar Worm?

Hi All--

Just received a message cleaned by yahoogroups.com of
something their NT-based "InterScan E-Mail VirusWall"
product calls "WORM_GOKAR.A". The social engineering
aspect of the carrier email is quite disturbing:

Subject: You just take a giant step, one step higher.

[...]

Hey
They say love is blind ... well, the attachment probably
proves it. Pretty good either way though, isn't it ?
[PSEUDO NYM]


(where [PSEUDO NYM] is the name of the person from whose 
account the email originates--which the worm must somehow be 
harvesting from extant email).

The attachment had been replaced by yahoogroups' filters
with the following message:

--


****** Message from InterScan E-Mail VirusWall NT ******

** WARNING! Attached file 
y343rvy343rvy343rv28835589575y343rv.pif contains:

     WORM_GOKAR.A virus

   Attempted to clean the file but it is not cleanable.
   It has been deleted.
*****************     End of message     ***************

--


The really odd thing is that I can't find any references
to a "Gokar Worm" on google, google's usenet mirror, or
on several specialist av sites I've checked. Is this a 
case of commercial non-disclosure?

CYa,
JEREMY


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer 
service. For more information on this free incident handling, 
management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Gokar Worm? Jeremy G Byrne (Dec 13)
- Re: Gokar Worm? Johannes B. Ullrich (Dec 13)
- Re: Gokar Worm? Nick FitzGerald (Dec 13)
- <Possible follow-ups>
- RE: Gokar Worm? Matthew Reams (Dec 13)