Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gokar Worm?

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Fri, 14 Dec 2001 10:36:12 +1200
Jeremy G Byrne <jeremy () cygnus uwa edu au> wrote:


Just received a message cleaned by yahoogroups.com of
something their NT-based "InterScan E-Mail VirusWall"
product calls "WORM_GOKAR.A". The social engineering
aspect of the carrier email is quite disturbing:


Subject: You just take a giant step, one step higher.

[...]

Hey
They say love is blind ... well, the attachment probably 
proves it. Pretty good either way though, isn't it ?


The message and body are randomly selected from large lists of such 
things in the virus -- if anyone was thinking of setting up filters 
on the preceding, save yourself the bother...


[PSEUDO NYM]


(where [PSEUDO NYM] is the name of the person from whose
account the email originates--which the worm must somehow
be harvesting from extant email).


No.  It simply pulls some registry settings, just like Outlook does 
itself.  Nothing clever, sophisticated or particularly worrying about 
it...


The really odd thing is that I can't find any references
to a "Gokar Worm" on google, google's usenet mirror, or
on several specialist av sites I've checked. Is this a 
case of commercial non-disclosure?


Twaddle.

You just happened to be one of the earlier (potential) victims to see 
it.  By the time you got that report from Yahoo, most developers had 
samples and would have been rolling (or had already posted) their 
DAT/DEF/etc updates.  With simple things like Gokar, that can happen 
way faster than the web sites get updated.  A few hours after you 
posted your note (assuming the timestamp is correct) at least the 
following AV web pages describing Gokar existed:

   http://www3.ca.com/Virus/Virus.asp?ID=10606
   http://vil.nai.com/vil/virusSummary.asp?virus_k=99282
   http://www.sarc.com/avcenter/venc/data/w32.gokar.a () mm html
   http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_GOKAR.A

I'm sure a few of the "obvious exceptions" have added their own 
descriptions by now too...

Finally, why send this to incidents rather than focus-virus?  Run of 
the mill viruses are not "security incidents", and receiving a 
pseudo-cryptic "virus detected" message from your webmail provider is 
certainly not a security incident.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: