Threat Description

Godzilla

Details

Aliases: Godzilla, VBS/Godzilla.A@m, I-Worm.Godzilla
Category: Malware
Type: Worm
Platform: VBS

Summary


Godzilla is a slow mass mailing worm. It activates in a similar way as JS/Kak, by reading an infected email message.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details



Variant:Godzilla.A

Godzilla.A uses Outlook Express 5.0 to spread as HTML source in each email from infected machine. To do this it saves its code in Update.hta in Windows Startup folder:

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\  

so it will be executed next time when the system is restarted.

The virus also saves itself in C:\Windows folder in a file Sign.html. By modifying the Windows registry:

HKCU\Identities\DefaultUserID\Software\Microsoft\OutlookExpress\5.0\Signatures  

it changes Outlook Express signature to use Sign.html. On that way the worm code will be embedded in each outgoing email message.

If the date is October 10th, VBS/Godzilla.A shows a message box with a the following text:

Have you danced with the devil in the moonlight ?  

VBS/Godzilla.A@m also contains the following comment on the top of its code:

I-Worm.Godzilla Coded by Zorro  




Technical Details:Katrin Tocheva; F-Secure Corp.; August 21st, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More