Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Godzilla


Aliases:


Godzilla
VBS/Godzilla.A@m, I-Worm.Godzilla

Malware
Worm
VBS

Summary

Godzilla is a slow mass mailing worm. It activates in a similar way as JS/Kak, by reading an infected email message.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:Godzilla.A

Godzilla.A uses Outlook Express 5.0 to spread as HTML source in each email from infected machine. To do this it saves its code in Update.hta in Windows Startup folder:

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\

so it will be executed next time when the system is restarted.

The virus also saves itself in C:\Windows folder in a file Sign.html. By modifying the Windows registry:

HKCU\Identities\DefaultUserID\Software\Microsoft\OutlookExpress\5.0\Signatures

it changes Outlook Express signature to use Sign.html. On that way the worm code will be embedded in each outgoing email message.

If the date is October 10th, VBS/Godzilla.A shows a message box with a the following text:

Have you danced with the devil in the moonlight ?

VBS/Godzilla.A@m also contains the following comment on the top of its code:

I-Worm.Godzilla Coded by Zorro





Technical Details: Katrin Tocheva; F-Secure Corp.; August 21st, 2002



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.