Sweet-talking worm lowers defences
Published: 14 Dec 2001 10:14 GMT
Not all Internet worms contain misspellings and sex references. In fact, Gokar (w32.gokar.a@mm) is even a little poetic. Unfortunately, this worm will attempt to contact everyone in your Microsoft Outlook address book, potentially tying up email servers with excess traffic.
Gokar also contains an mIRC script that allows the worm to spread from infected users to other IRC users who share the same channel. In rare cases, Gokar can spread via a Web page, asking users who happen upon an infected Web page to download a file called Web.exe. At this time, Gokar is not known to damage data files, but it will disable antivirus software running at the time of infection.
How it works
Gokar arrives as email with one of the following subject lines:
- If I were God and didn't belive in myself would it be blasphemy
- The A-Team VS KnightRider...who would win?
- Just one kiss, will make it better. just one kiss, and we will be alright.
- I can't help this longing, comfort me.
- And I miss you most of all, my darling...
- ...When autumn leaves start to fall
- It's dark in here, you can feel it all around. The underground.
- I will always be with you sometimes black sometimes white ...
- ...and there's no need to be scared, you re always on my mind.
- You just take a giant step, one step higher.
- The air will hold you if you try, trust my wings of desire. Glory, Glorified...
The body of the email contains one or more of the following:
- Happy Birthday
- Yeah ok, so it's not yours it's mine :)
- The horizons lean forward, offering us space to place new steps of change.
- I like this calm, moments before the storm
- Darling, when did you fall...when was it over?
- Will you meet me...and we'll fly away?!
- You should like this, it could have been made for you
- speak to you later
- They say love is blind...well, the attachment probably proves it.
- Pretty good either way though, isn't it?
- still cause for a celebration though, check out the details I attached
- This made me laugh
- Got some more stuff to tell you later but I can't stop right now
- so I'll email you later or give you a ring if thats ok?!
- Speak to you later
The attached filename consists of a random number combined with a short string of random-looking characters, and an extension that can be: .pif, .scr, .exe, .com, or .bat.
If the attached file is opened, the worm adds the infected user's name to the end of the message and sends copies of the mail to all addresses in the Microsoft Outlook address book. Gokar also contains a script called script.ini. If an infected user joins an IRC channel, Gokar sends the infected file karen.exe to new users joining that channel. The worm looks for specific words used on the channel and will change a user's nickname to variations on Karen, such as KarenWorm or KarenGobo, or change the user's channel to #teamvirus.
If the infected computer is also a Web server running Microsoft IIS, Gokar can infect the Default.htm page so that outsiders who visit the site will be asked to download a file called Web.exe. The infected Web page contains the text "We Are Forever."
On infected computers, Gokar looks for and disables several popular antivirus products, including Symantec, F-Secure, Kaspersky, Sophos, and Trend Micro.
Removal
Almost all the antivirus software companies have updated their signature files to include this worm. For more information on removing Gokar from your system, see Central Command, Computer Associates, F-Secure, McAfee, Panda, Sophos, Symantec and Trend Micro.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.
Did you find this article useful?
5 out of 16 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
