Security Incidents mailing list archives
Gokar Worm?
From: Jeremy G Byrne <jeremy () cygnus uwa edu au>
Date: Thu, 13 Dec 2001 12:52:25 +0800
Hi All-- Just received a message cleaned by yahoogroups.com of something their NT-based "InterScan E-Mail VirusWall" product calls "WORM_GOKAR.A". The social engineering aspect of the carrier email is quite disturbing:
Subject: You just take a giant step, one step higher.
[...]
Hey They say love is blind ... well, the attachment probably proves it. Pretty good either way though, isn't it ? [PSEUDO NYM]
(where [PSEUDO NYM] is the name of the person from whose account the email originates--which the worm must somehow be harvesting from extant email). The attachment had been replaced by yahoogroups' filters with the following message:
--
****** Message from InterScan E-Mail VirusWall NT ****** ** WARNING! Attached file y343rvy343rvy343rv28835589575y343rv.pif contains: WORM_GOKAR.A virus Attempted to clean the file but it is not cleanable. It has been deleted. ***************** End of message ***************
--
The really odd thing is that I can't find any references to a "Gokar Worm" on google, google's usenet mirror, or on several specialist av sites I've checked. Is this a case of commercial non-disclosure? CYa, JEREMY ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Gokar Worm? Jeremy G Byrne (Dec 13)
- Re: Gokar Worm? Johannes B. Ullrich (Dec 13)
- Re: Gokar Worm? Nick FitzGerald (Dec 13)
- <Possible follow-ups>
- RE: Gokar Worm? Matthew Reams (Dec 13)