Godzilla.A uses Outlook Express 5.0 to spread as HTML source in
each email from infected machine. To do this it saves its code
in Update.hta in Windows Startup folder:
so it will be executed next time when the system is restarted.
The virus also saves itself in C:\Windows folder in a file
Sign.html. By modifying the Windows registry:
it changes Outlook Express signature to use Sign.html. On that
way the worm code will be embedded in each outgoing email message.
If the date is October 10th, VBS/Godzilla.A shows a message box
with a the following text:
Have you danced with the devil in the moonlight ?
VBS/Godzilla.A@m also contains the following comment on the top
of its code:
I-Worm.Godzilla Coded by Zorro
[Analysis: Katrin Tocheva; F-Secure Corp.; August 21st, 2002]