Summary

Godzilla is a slow mass mailing worm. It activates in a similar way as JS/Kak, by reading an infected email message.

Additional Details

VARIANT:

Godzilla.A

Godzilla.A uses Outlook Express 5.0 to spread as HTML source in each email from infected machine. To do this it saves its code in Update.hta in Windows Startup folder:

        C:\WINDOWS\START MENU\PROGRAMS\STARTUP\

so it will be executed next time when the system is restarted.

The virus also saves itself in C:\Windows folder in a file Sign.html. By modifying the Windows registry:

 HKCU\Identities\DefaultUserID\Software\Microsoft\OutlookExpress\5.0\Signatures

it changes Outlook Express signature to use Sign.html. On that way the worm code will be embedded in each outgoing email message.

If the date is October 10th, VBS/Godzilla.A shows a message box with a the following text:

        Have you danced with the devil in the moonlight ?

VBS/Godzilla.A@m also contains the following comment on the top of its code:

        I-Worm.Godzilla Coded by Zorro

[Analysis: Katrin Tocheva; F-Secure Corp.; August 21st, 2002]