Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Gokar.A

Win32/Gokar.A is a worm written in Visual Basic, compressed by means of the utility UPX so that its size is only 14336 bytes.  It spreads as an email file attachment.  The subject of the message, its body as well as the name of the file in the attachment are being altered.  When the file in the attachment is executed the worm sends out its copies to all addresses found in the Microsoft Outlook address book.  The worm chooses the message subject from the following list:

If I were God and didn't belive in myself would it be blasphemy
The A-Team VS KnightRider ... who would win ?
Just one kiss, will make it better. just one kiss, and we will be alright.
I can't help this longing, comfort me.
And I miss you most of all, my darling ...
... When autumn leaves start to fall
It's dark in here, you can feel it all around. The underground.
I will always be with you sometimes black sometimes white ...
.. and there's no need to be scared, you re always on my mind.
You just take a giant step, one step higher.
The air will hold you if you try, trust my w<ings of desire. Glory, Glorified.......

The worm compiles the message body as follows: it randomly chooses one of the sentences from the list and adds to it the name of the Windows user that it finds out in the key HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner.  The worm picks up sentences for the message body from the following list:

Yeah ok, so it's not yours it's mine :)
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm
Darling, when did you fall..when was it over !
Will you meet me .... and we'll fly away ?!
You should like this, it could have been made for you
speak to you later
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
Happy Birthday
still cause for a celebration though, check out the details I attached
This made me laugh
Got some more stuff to tell you later but I can't stop right now
so I'll email you later or give you a ring if thats ok ?!
Speak to you later

To the message formed in that way the worm attaches its copy with a random name created from numerals and one of 26 pre-defined strings with length from 4 to 9 characters.  As extension to the name of its copy the worm randomly selects one of the following options: .pif, .src, .exe, .com and .bat.  The worm copies itself as the file karen.exe into the directory where the operating system Windows is installed.  Its activation is ensured after a system restart by creating the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen in the system registry.

If the worm finds the directory C:\Mirc it creates the file script.ini in it.  This file sends a copy of the worm - the file C:\WINDOWS\karen.exe - to everyone logged in to the same IRC channel on which t he user of the infected computer is.  At the words karen, worm, virus and sex it automatically alters the nick under which the infected user is present on IRC. If an IRC user uses words containing strings script, infected or dcc he will be ignored.  At any word containing the letter “e” the infected computer will be connected to the channel #teamvirus.  The worm looks for the directory C:\inetpub\wwwroot.  If it finds it the worm renames the original file C:\inetpub\wwwroot\default.htm to C:\inetpub\wwwroot\redesi.htm and copies itself into that directory as the file Web.exe.  It substitutes the original file default.htm by a new one which displays the text We Are Forever.  After clicking on it the worm offers the file Web.exe for a download.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.