W32/Gokar.A@mm
Threat risk
|
Detection files published:
13 Dec 2001 |
Description created:
2001-12-13 |
Description updated:
2001-12-19 |
|
Alias:
|
Spreading mechanism
Email, IRC, Webpage | |
|
Payload:
| ||
Summary
This is an email worm written in Visual Basic, which also has been compressed with UPX.Spreading description
Email characteristics:
Subject: Several possible
Body: Several possible
Attachment: Semi-random
When run, the worm will copy itself to the Windows directory under the name of KAREN.EXE, and sets a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Karen=C:\WINDOWS\KAREN.EXE in order to start it at bootup.
Web infection
If the directory \Inetpub\WWWRoot exists, it will also copy itself there under the name WEB.EXE.
The file default.htm replaced with a worm copy that will display the text "We are forever" and attempt to load Web.exe as the page is accessed.
Browsers should display a warning at this point, and the worm will not be run unless the user actually selects to run the file.
Mail spreading
The worm will then send itself to all entries in the Microsoft Outlook address book.
The worm uses a list of several possible email subjects to choose from.
Possible Subjects:
"Darling, when did you fall, when was it over?"
"An I miss you most of all, my darling..."
"If I were God and didn't believe in myself, would it be blasphemy"
"The A-Team vs. KnightRider ... who would win?"
"Just one kiss, will make it better. Just one kiss, and we will be alright."
"I can't help this longing, comfort me."
"When autumn leaves start to fall"
"It's dark in here you can feel it all around. The underground."
"I will always be with you sometimes black sometimes white"
"..and there's no need to be scared, you're always on my mind"
"You just take a giant step, one step higher."
"The air will hold you if you try, trust my wings of desire. Glory, Glorified......."
"The horizons lean forward, offering us space to place new steps of change."
"Will you meet me .... and we'll fly away?"
Possible body texts:
"Happy Birthday
Yeah, ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached"
"You should like this, it could have been made for you.
speak to you later"
"Hey
They say love is blind ... well, the attachment probably proves it. Pretty good either way, isn't it?"
"This made me laugh
Got some more stuff to tell you later but I can't stop right now so I'll email you later or give you a ring if that's ok?"
Attachment names will consist of a semi-random combination of letters and numbers, often rather long. Extension will be one of the following: EXE, COM, BAT, PIF, SCR
IRC propagation
The worm also has a third way of propagation - through Internet Relay Chat. If the IRC client mIRC is installed, the worm will write a small script to the default mIRC directory, which in turn will attempt to send the worm to any user that joins the channel where the infected user resides. The file transmission will be accompanied by a message saying:
"If this doesn't make you smile, nothing will."
Threat description
The worm replaces web pages(\InetPub\WWWRoot\default.htm) on infected web servers. The original web pages are saved under the name redesi.htm.It places a script in the MIRC directory if you have mIRC IRC client installed.
It also attempts to kill (i.e. remove from memory) the following programs:
VSHWIN32.EXE
NAVAPW32.EXE
_avpm.exe
avpm.exe
ICLOAD95.EXE
ICMON.EXE
IOMon98.exe
VetTray.exe
Claw95.exe
f-stopw.exe
These are programs belonging to different antivirus products.
Removal
The worm itself, IRC script and bogus default.htm will be removed by Norman's antivirus products. However, the original default.htm must be copied back manually.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
