Two New Malicious E-Mails: One Stings, the Other Doesn't - Page 2

 By Jim Freund
Page 2 of 3   |  Back to Page 1
Print Article

The Payload
Once executed, Gokar attempts the usual Outlook exploit of mailing itself to everyone in the victim's address book. Next, it saves a copy of itself in the Windows system folder, and adds a key to the registry to run the worm automatically upon the next bootup process. As with Goner, it searches for a copy of the popular Internet Relay Chat program, mIRC, and creates a file script that will attempt to send itself to others on the IRC channel when available. Finally, it seeks the directory, c:\inetpub\wwwroot (present on Microsoft IIS Web servers), and renames the file DEFAULT.HTM to REDESI.HTM, and creates a new DEFAULT.HTM. This page will display the "We Are Forever" text and offer the worm as a download to browsers.

To rid yourself of Gokar, remove or restore the files mentioned above that it created, and then back up your registry and using REGEDIT or your preferred program, check the key

and remove the value of any filename Gokar put in there. (In some variants, the filename and value may be KAREN.EXE.)

Again, aside from the potential temporary flooding of your e-mail gateway, Gokar is not too malicious. But it is very infectious, and should be carefully and thoroughly eradicated.

The other bit of nasty e-mail currently making the rounds involves no engineering outside of human behavior. It is, in fact, a hoax that warns of a virus that does not exist, and tries to get people to delete a legitimate file. This is much harder to detect than most malicious e-mails. First, it is not a mass-mailer, but rather is often sent by well-meaning people. Second, it often does not have an attachment of any kind, and so will pass through most security programs and filters.

There are many variants of the message which first appeared last April in Brazil, and made its way from Portuguese to Danish, Dutch, French, and English. A new version is now goinmg around that has text similar to the following:

  I have just learned about a new computer virus, and found that 
  it was in my computer and is transmitted through the address 
  book.  Since you are in my address book, I am sending you this 
  instruction to have it removed before it can do damage to you 
  as well.  It lies dormant for 14 days, and then kills the hard 
  drive.  If you have got it, send this message to everyone in 
  your address book.

  The directions for removing it are easy.
  1.  Go to "start" then to "find" or "search".
  2.  In the "search for files or folders", type in   sulfnbk.exe  - this is 
  the virus.
  3.  In the 'look in' section, make sure you are searching Drive C.
  4.  Hit 'search' or 'find' button.
  5.  If this file shows up (It is an ugly blackish icon that will have the 
  name 'sulfnbk.exe'"  DO NOT OPEN IT!
  6.  Right-click on the file.  Then go to 'delete' and left-click to delete 
  7.  If it asks you if you want to send it to the recycle bin, say yes.
  8.  Go to the desktop icon for the recycle bin and double-click on it.
  9.  Empty the recycle bin.
  Sorry for the inconvenience.  It seems that the anti-virus programs did 
  not pick this up.
There are several variants of this theme. Some messages warn that the virus will strike on June 1st -- others make differing claims about the effects. The constant is that the message tells you to delete SULFNBK.EXE, which is, in fact, a legitimate Windows program.

This article was originally published on Dec 14, 2001
Get the Latest Scoop with Networking Update Newsletter