F-Secure Virus Descriptions : Gop (worm)
| NAME: | Gop (worm) |
| ALIAS: | I-Worm.GOPworm, W32/Invery.A@mm, Invery |
Gop is a worm that spreads via the Internet being attached to
infected emails and through local network by copying to shared
drives. The worm itself is a Windows PE EXE file about 60Kb of
length (compressed by UPX), written in Delphi Microsoft Visual
C++.
The worm is improved variant of a password stealing trojan
Trojan.PSW.GOP (trojan).
The infected messages Subject and Body are in Chinese. The
attached file name is different, and has double extension:
filename.jpg.exe
filename.jpeg.exe
filename.gif.exe
filename.txt.exe
filename.doc.exe
filename.rtf.exe
filename.bmp.exe
To run from infected message the worm uses IFrame security
breach.
While installing the worm uses the same way as "GOPtrojan", the
additional feature is affected Registry key:
HKCR\exefile\shell\open\command
To send infected messages the worm uses direct access to a SMTP
server. The worm gets victim email addresses by scanning *.HTML,
*.HTM, *.JS files, as well as by scanning TheBat, Aerofox and
RimArts email databases.
[Analysis: Kaspersky Labs; January 2002]
|
