Two New Malicious E-Mails: One Stings, the Other Doesn't

By Jim Freund | Dec 14, 2001 | Print this Page

Once again, two virus-related e-mails are making the rounds. The good news is that neither one is particularly harmful. The bad news is that each may well slip through virus protection schemes that haven't been recently updated, and can thereby cause networkers and IT personnel to expend valuable time and energy.

The first is a new virus known as Gokar.A. So far, this seems to be primarily an exercise in propagation, as the end result of the malicious program does nothing beyond creating a HTML page which states "We Are Forever".

The most likely way you'd encounter Gokar is as an e-mail, whose characteristics change randomly. The Subject line will be any one of the following:

  • ... and there's no need to be scared, you re always on my mind.
  • And I miss you most of all, my darling ...
  • Darling, when did you fall? When was it over?
  • I can't help this longing, comfort me.
  • I like this calm, moments before the storm
  • I will always be with you sometimes black sometimes white ...
  • If I were God and didn't believe in myself would it be blasphemy?
  • It's dark in here; you can feel it all around. The underground.
  • Just one kiss, will make it better; just one kiss, and we will be alright.
  • The air will hold you if you try, trust my wings of desire. Glory, Glorified...
  • The A-Team VS KnightRider ... who would win?
  • The horizons lean forward, offering us space to place new steps of change.
  • When autumn leaves start to fall
  • You just take a giant step, one step higher.
The text of the message will be from among these:
  • Darling, when did you fall..when was it over ?
  • Got some more stuff to tell you later but I can't stop right now
  • Happy Birthday
  • I like this calm, moments before the storm
  • Pretty good either way though, isn't it ?
  • so I'll email you later or give you a ring if thats ok ?!
  • speak to you later
  • Speak to you later
  • still cause for a celebration though, check out the details I attached
  • The horizons lean forward, offering us space to place new steps of change.
  • They say love is blind ... well, the attachment probably proves it.
  • This made me laugh
  • Will you meet me .... and we'll fly away ?!
  • Yeah ok, so it's not yours it's mine :)
  • You should like this, it could have been made for you
The attachment's filename is also random, consisting of gibberish and an extension of either exe, com, scr, pif, or bat.

The Payload
Once executed, Gokar attempts the usual Outlook exploit of mailing itself to everyone in the victim's address book. Next, it saves a copy of itself in the Windows system folder, and adds a key to the registry to run the worm automatically upon the next bootup process. As with Goner, it searches for a copy of the popular Internet Relay Chat program, mIRC, and creates a file script that will attempt to send itself to others on the IRC channel when available. Finally, it seeks the directory, c:\inetpub\wwwroot (present on Microsoft IIS Web servers), and renames the file DEFAULT.HTM to REDESI.HTM, and creates a new DEFAULT.HTM. This page will display the "We Are Forever" text and offer the worm as a download to browsers.

To rid yourself of Gokar, remove or restore the files mentioned above that it created, and then back up your registry and using REGEDIT or your preferred program, check the key

and remove the value of any filename Gokar put in there. (In some variants, the filename and value may be KAREN.EXE.)

Again, aside from the potential temporary flooding of your e-mail gateway, Gokar is not too malicious. But it is very infectious, and should be carefully and thoroughly eradicated.

The other bit of nasty e-mail currently making the rounds involves no engineering outside of human behavior. It is, in fact, a hoax that warns of a virus that does not exist, and tries to get people to delete a legitimate file. This is much harder to detect than most malicious e-mails. First, it is not a mass-mailer, but rather is often sent by well-meaning people. Second, it often does not have an attachment of any kind, and so will pass through most security programs and filters.

There are many variants of the message which first appeared last April in Brazil, and made its way from Portuguese to Danish, Dutch, French, and English. A new version is now goinmg around that has text similar to the following:

  I have just learned about a new computer virus, and found that 
  it was in my computer and is transmitted through the address 
  book.  Since you are in my address book, I am sending you this 
  instruction to have it removed before it can do damage to you 
  as well.  It lies dormant for 14 days, and then kills the hard 
  drive.  If you have got it, send this message to everyone in 
  your address book.

  The directions for removing it are easy.
  1.  Go to "start" then to "find" or "search".
  2.  In the "search for files or folders", type in   sulfnbk.exe  - this is 
  the virus.
  3.  In the 'look in' section, make sure you are searching Drive C.
  4.  Hit 'search' or 'find' button.
  5.  If this file shows up (It is an ugly blackish icon that will have the 
  name 'sulfnbk.exe'"  DO NOT OPEN IT!
  6.  Right-click on the file.  Then go to 'delete' and left-click to delete 
  7.  If it asks you if you want to send it to the recycle bin, say yes.
  8.  Go to the desktop icon for the recycle bin and double-click on it.
  9.  Empty the recycle bin.
  Sorry for the inconvenience.  It seems that the anti-virus programs did 
  not pick this up.
There are several variants of this theme. Some messages warn that the virus will strike on June 1st -- others make differing claims about the effects. The constant is that the message tells you to delete SULFNBK.EXE, which is, in fact, a legitimate Windows program.

Sometimes the e-mail message will have an attachment that will claim to clean the infected file, or perhaps replace it. In all likelihood, that will be a Trojan, and should be picked up by most anti-virus programs. It should be noted that the Magistr virus can choose the SULFNBK.EXE file as its victim, infect it and send it out. So it's safe to say that under no circumstances should the executable be run.

If you or one of your users has deleted SULFNBK.EXE, don't panic. This is a relatively obscure utility used by Windows to restore long filenames, and is not essential to the OS. However, it's always better to be safe, so if you can, take the time to restore the file.

On Windows 98:

  1. Go to Start | Run
  2. Type SFC and hit enter.
  3. Click on "Extract one file from installation disk"
  4. In the "Specify the system file you would like to restore" box, type C:\WINDOWS\COMMAND\SULFNBK.EXE and then click on "Start"
  5. On the next screen, you'll see a "Restore from" box. Type in the path to your Windows CAB files (usually C:\WINDOWS\OPTIONS\CABS). If you can't find the CAB files on your computer, insert your Windows 98 CD and then type *\Win98, replacing * with the drive letter for your CD-ROM drive.
  6. Click the OK button.

On Windows ME:

  1. Go to Start | Run.
  2. Type MSCONFIG and hit enter.
  3. Click on the "Extract File ..." button.
  4. In the "Specify the system file you would like to restore" field, type C:\WINDOWS\COMMAND\SULFNBK.EXE then click on "Start"
  5. On the next screen, you'll see a "Restore from" box. Type in the path to your Windows CAB files (usually C:\WINDOWS\OPTIONS\CABS). If you can't find the CAB files on your computer, insert your Windows ME CD and then type *\WinME, replacing * with the drive letter for your CD-ROM drive. For example, if your CD-ROM is your D drive, you would type D:\WinME
  6. Click the OK button.

And remember to remind your users that it is never wise to pass along unverified information -- it's no better than a chain letter. In the case of mass-mailers, they may not be held as accountable for passing along a virus that struck their copy of Outlook, but in this instance they are the ones who told associates to delete part of their Operating System. Their associates will be much less forgiving under those circumstances.

Jim Freund is the Managing Editor of CrossNodes.