Results 1 to 4 of 4

Thread: **GOP.G** AV Heads up

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002

    **GOP.G** AV Heads up

    For those who don't trawl the AV sites or are not subscribed to any of the AV Newsletters/warning services, here is a current Cat 2 from symantec (Norton).

    For AV information check the following:
    to list a small collection..

    Watch out for the hoaxes.. some of the above sites have listings for the hoaxes or you could try:


    W32.HLLW.GOP.G@mm is a mass-mailing worm that copies itself to the hard drive as %System%\WindowsAgent.exe. It also searches the network drives and copies itself to \Recycled\Notdelw.i.n.v.e.r.y.i.f.y.exe on any mapped drive on which it can find an operating system. Then, W32.HLLW.GOP.G@mm modifies the Win.ini file to run the worm at startup.

    Type: Worm
    Infection Length: 44,033 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux
    When W32.HLLW.GOP.G@mm is executed, it does the following:

    1. Copies itself as %System%\WindowsAgent.exe.

    NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    2. Creates the Drocerrbk.sys file, in which it stores stolen passwords.

    3. Adds the value:

    WindowsAgent %System%\WindowsAgent.exe

    to the registry key:


    4. Performs its mass-mailing routine. Mostly, the email message it sends will contain a subject and message in Chinese. The attachment will be a .bmp, .rtf, .doc, .txt, .gif, .jpeg, or .jpg file, which is taken from your computer.

    To the original file name, the worm adds a second file extension, either .exe or .lnk. For example, if the original file name is Birthday pic.bmp, the name of the attachment will be Birthday pic.bmp.exe or Birthday pic.bmp.lnk.

    The worm searches for email addresses in .htm and .html files, and in many different email mailbox files. After gathering all the email addresses the worm can find, it uses its own SMTP engine to send an email message that can be executed (on unpatched systems) when it is read by the recipient.

    NOTE: The worm takes advantage of the IFRAME vulnerability that allows Microsoft Outlook to automatically execute attachments. Information on this vulnerability can be found at: http://www.microsoft.com/windows/ie/...8/default.asp.

    5. Searches the network drives and copies itself to \Recycled\Notdelw.i.n.v.e.r.y.i.f.y.exe on any mapped drive on which it can find an operating system. Then, the worm sets that particular file to run at startup, by modifying the Win.ini file.
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Join Date
    Aug 2002
    thanks for the heads up.

  3. #3
    Yeah, thanks.
    Glad to have the AV up to date .

  4. #4
    Senior Member
    Join Date
    Mar 2002
    Yeah, like said in one of the quick tips at the index of the AO site, a virus scanner is only as good as its last update.

    -{[ Joe ]}- (Joe@nitesecurity.com)

    [shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts