Threat Description

Godzilla

Details

Aliases: Godzilla, VBS/Godzilla.A@m, I-Worm.Godzilla
Category: Malware
Type: Worm
Platform: VBS

Summary



Godzilla is a slow mass mailing worm. It activates in a similar way as JS/Kak, by reading an infected email message.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Godzilla.A

Godzilla.A uses Outlook Express 5.0 to spread as HTML source in each email from infected machine. To do this it saves its code in Update.hta in Windows Startup folder:

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\

so it will be executed next time when the system is restarted.

The virus also saves itself in C:\Windows folder in a file Sign.html. By modifying the Windows registry:

HKCU\Identities\DefaultUserID\Software\Microsoft\OutlookExpress\5.0\Signatures

it changes Outlook Express signature to use Sign.html. On that way the worm code will be embedded in each outgoing email message.

If the date is October 10th, VBS/Godzilla.A shows a message box with a the following text:

Have you danced with the devil in the moonlight ?

VBS/Godzilla.A@m also contains the following comment on the top of its code:

I-Worm.Godzilla Coded by Zorro





Technical Details: Katrin Tocheva; F-Secure Corp.; August 21st, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More