Win32:Gokar
is the worm spreading via email, IRC or as a download from a modified web page on an infected MS IIS Web Server. As many others, this one is also written in Visual Basic and packed with UPX. It is 14336 bytes long. This worm spreads via an email message with the following characteristics:Subject (One of the following possibilities):
The A-Team VS KnightRider ... who would win ?
And I miss you most of all, my darling ...
The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
If I were God and didn't belive in myself would it be blasphemy
Just one kiss, will make it better. Just one kiss, and we will be alright.
I can't help this longing, comfort me.
It's dark in here, you can feel it all around. The underground.
.. and there's no need to be scared,you re always on my mind.
You just take a giant step, one step higher.
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm
Darling, when did you fall..when was it over?
Message Body (One of the following possibilities):
Yeah ok, so it's not yours it's mine :)
You should like this, it could have been made for you
speak to you later
Pretty good either way though, isn't it?
Happy Birthday
still cause for a celebration though, check out the details I attached
This made me laugh
Got some more stuff to tell you later but I can't stop right now
so I'll email you later or give you a ring if that's ok ?!
Speak to you later
The attachment name is totally random and it has one of the following extensions: .BAT, .COM, .EXE, .PIF, .SCR
When executed, the worm copies itself to the Windows directory under the name KAREN.EXE and then creates a registry entry to run itself at startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Karen="C:\WINDOWS\karen.exe"
It then attempts to send itself to all recipients found in the Outlook Address Book.
The worm will also copy a mIRC script called script.ini which is able to send the worm to other users when they enter the same IRC channel as the infected user. It also changes the user aliases depending on the words used in discussions.
If the infected computer is also running a MS IIS Web Server, the worm will attempt to spread itself to users visiting such web server. It copies itself to the file C:\INET\PUB\WWW\ROOT\WEB.EXE and creates a DEFAULT.HTM file in this directory. When a remote user accesses this page, the browser will prompt the user to run/save the web.exe program.
Removal:
* delete all infected files found on the disk
* remove the registry entry pointing to those files
* if you have MS-IIS Web Server running on the infected computer, remove the default.htm and web.exe files
Any avast! with VPS file dated on or after 13th December 2001 is able to detect this worm.
