Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Gokar.A@mm


Destructivity MEDIUM MEDIUM
Detection files published 12 Dec 2001 03:00:00
Description created 13 Dec 2001 02:49:00
Description updated 19 Dec 2001 08:39:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When run, the worm will copy itself to the Windows directory under the name of KAREN.EXE, and sets a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Karen=C:\WINDOWS\KAREN.EXE in order to start it at bootup.

Web infection

If the directory \Inetpub\WWWRoot exists, it will also copy itself there under the name WEB.EXE.
The file default.htm replaced with a worm copy that will display the text "We are forever" and attempt to load Web.exe as the page is accessed.
Browsers should display a warning at this point, and the worm will not be run unless the user actually selects to run the file.

Mail spreading

The worm will then send itself to all entries in the Microsoft Outlook address book.

The worm uses a list of several possible email subjects to choose from.

Possible Subjects:

"Darling, when did you fall, when was it over?"

"An I miss you most of all, my darling..."

"If I were God and didn't believe in myself, would it be blasphemy"

"The A-Team vs. KnightRider ... who would win?"

"Just one kiss, will make it better. Just one kiss, and we will be alright."

"I can't help this longing, comfort me."

"When autumn leaves start to fall"

"It's dark in here you can feel it all around. The underground."

"I will always be with you sometimes black sometimes white"

"..and there's no need to be scared, you're always on my mind"

"You just take a giant step, one step higher."

"The air will hold you if you try, trust my wings of desire. Glory, Glorified......."

"The horizons lean forward, offering us space to place new steps of change."

"Will you meet me .... and we'll fly away?"

Possible body texts:

"Happy Birthday
Yeah, ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached"

"You should like this, it could have been made for you.
speak to you later"

They say love is blind ... well, the attachment probably proves it. Pretty good either way, isn't it?"

"This made me laugh
Got some more stuff to tell you later but I can't stop right now so I'll email you later or give you a ring if that's ok?"

Attachment names will consist of a semi-random combination of letters and numbers, often rather long. Extension will be one of the following: EXE, COM, BAT, PIF, SCR

IRC propagation

The worm also has a third way of propagation - through Internet Relay Chat. If the IRC client mIRC is installed, the worm will write a small script to the default mIRC directory, which in turn will attempt to send the worm to any user that joins the channel where the infected user resides. The file transmission will be accompanied by a message saying:
"If this doesn't make you smile, nothing will."

Payload Details

The worm replaces web pages(\InetPub\WWWRoot\default.htm) on infected web servers. The original web pages are saved under the name redesi.htm.It places a script in the MIRC directory if you have mIRC IRC client installed. It also attempts to kill (i.e. remove from memory) the following programs:VSHWIN32.EXENAVAPW32.EXE_avpm.exeavpm.exeICLOAD95.EXEICMON.EXEIOMon98.exeVetTray.exeClaw95.exef-stopw.exeThese are programs belonging to different antivirus products.




The worm itself, IRC script and bogus default.htm will be removed by Lumension's antivirus products. However, the original default.htm must be copied back manually.

Last Updated: 12 Nov 2015 11:06:11