More viruses being sent directly to list users

Steve Harrison ko0u at OS.COM
Mon Dec 20 14:31:08 EST 1999 

At 12:52 PM 1999-12-20 -0600, John Farrington wrote:

See below...

>On 12/20/1999 Steve Harrison wrote:
>
>>Interestingly, some months ago, a good friend of mine forwarded me a
>>copy of saddam.exe. It was a very entertaining animated cartoon and
>>as far as I could tell, only that. Maybe it left something in my
>>system that's gonna blow up soon, though.
>>
>>The same friend sent me g_zilla.exe about a month ago....
>>Guess I'd better delete both it and saddam.exe (although the horse(s)
>>is(are) probably already out of the barn by now.... ;o(((
>
>Steve and all,
>
>As I understand it, the worm does not do any immediate destructive
>action on your PC; what it does when run is modify your Windows
>Registry file and Outlook Express (or Netscape Email) so that it
>automatically attaches itself to some or all of your outgoing
>E-mails without your knowledge. When unsuspecting recipients run
>the attached .EXE file, it does the same to their system.
>
>So, if you've run it, just deleting the .EXE file will not do you
>any good - you have to go into the Registry and delete the lines it
>inserted there, and perhaps some other stuff. I believe the info is
>on the Symantec site.
>
>Whether or not it will later damage your system I don't know.

While installing Norton AV2000 last night and poring through my system
files for other reasons, I had a look at both saddam.exe and G_zilla.exe
(as it's named in my system). In both cases, the file sizes are
considerably larger than the 69652 byte size mentioned on the Network
Associates site. For example, saddam.exe is about 297 kB and dated 19
November, 1998. G_zilla.exe is about 197 kB and dated 9 November, 1999.

It seems likely to me that someone wrote this worm, then also wrote code
to, as the Network Associates site says, randomly assign various names to
it. I'd be willing to bet that most, if not all, of the names being used
now are those of previously-entertaining cartoon animations of one type or
the other, such as the two that I have.

73, Steve K0XP

Sponsored by the City of Tempe 

Listserver Submissions:  heath at listserv.tempe.gov
Listserver Subscription: listserv at listserv.tempe.gov - "subscribe heath 'name' 'call'"
Listserver Unsubscribe: listserv at listserv.tempe.gov - -"signoff heath"

More information about the Heath mailing list