F-Secure Virus Descriptions : Godzilla
Godzilla is a slow mass mailing worm. It activates in a similar
way as JS/Kak, by reading an infected email message.
Godzilla.A uses Outlook Express 5.0 to spread as HTML source in
each email from infected machine. To do this it saves its code
in Update.hta in Windows Startup folder:
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\
so it will be executed next time when the system is restarted.
The virus also saves itself in C:\Windows folder in a file
Sign.html. By modifying the Windows registry:
HKCU\Identities\DefaultUserID\Software\Microsoft\OutlookExpress\5.0\Signatures
it changes Outlook Express signature to use Sign.html. On that
way the worm code will be embedded in each outgoing email message.
If the date is October 10th, VBS/Godzilla.A shows a message box
with a the following text:
Have you danced with the devil in the moonlight ?
VBS/Godzilla.A@m also contains the following comment on the top
of its code:
I-Worm.Godzilla Coded by Zorro
[Analysis: Katrin Tocheva; F-Secure Corp.; August 21st, 2002]
|
