- Sep 25, 2000
- 22,135
- 5
- 61
Name: W32/Gokar-A
Type: Win32 worm
Date: 13 December 2001
Description:
W32/Gokar-A spreads via the internet by sending itself as an
email attachment to addresses in the Outlook address book. The
worm arrives in an email with the following characteristics:
The subject line and body text of the email are chosen randomly
from a selection including:
Subject:
"If I were God and didn't belive in myself would it be blasphemy"
"The A-Team VS KnightRider ... who would win ?"
"Just one kiss, will make it better. just one kiss, and we will be alright."
"I can't help this longing, comfort me."
"And I miss you most of all, my darling ..."
"... When autumn leaves start to fall"
"It's dark in here, you can feel it all around. The underground."
"I will always be with you sometimes black sometimes white ..."
Body:
"Happy Birthday
Yeah ok, so it's not yours it's mine
still cause for a celebration though, check out the details I
attached"
"Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?"
"You should like this, it could have been made for you speak to
you later"
The attachment filename will also be random characters with a
BAT, COM, EXE, SCR or PIF extension.
W32/Gokar-A also tries to spread via mIRC by overwriting the
script.ini file of the mIRC client so that it will send the worm
to other mIRC users.
If the infected computer is being used as a web server via
Personal Web Server or IIS (Microsoft Internet Information
Server), then the worm drops a copy of itself as web.exe in the
C:\inetpub\wwwroot directory. It also replaces the file
default.htm (which will be the home page of the website if the
default installation was used) in the C:\inetpub\wwwroot
directory. The copy of default.htm created by the worm will
download the worm (web.exe) to the computer of users visiting
the website.
The worm drops itself into the Windows directory as karen.exe
and sets the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen =
C:\<windows directory>\karen.exe
so that this file will run on Windows startup.
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32gokara.html
http://www.sarc.com/avcenter/venc/data/w32.gokar.a@mm.html
Type: Win32 worm
Date: 13 December 2001
Description:
W32/Gokar-A spreads via the internet by sending itself as an
email attachment to addresses in the Outlook address book. The
worm arrives in an email with the following characteristics:
The subject line and body text of the email are chosen randomly
from a selection including:
Subject:
"If I were God and didn't belive in myself would it be blasphemy"
"The A-Team VS KnightRider ... who would win ?"
"Just one kiss, will make it better. just one kiss, and we will be alright."
"I can't help this longing, comfort me."
"And I miss you most of all, my darling ..."
"... When autumn leaves start to fall"
"It's dark in here, you can feel it all around. The underground."
"I will always be with you sometimes black sometimes white ..."
Body:
"Happy Birthday
Yeah ok, so it's not yours it's mine
still cause for a celebration though, check out the details I
attached"
"Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?"
"You should like this, it could have been made for you speak to
you later"
The attachment filename will also be random characters with a
BAT, COM, EXE, SCR or PIF extension.
W32/Gokar-A also tries to spread via mIRC by overwriting the
script.ini file of the mIRC client so that it will send the worm
to other mIRC users.
If the infected computer is being used as a web server via
Personal Web Server or IIS (Microsoft Internet Information
Server), then the worm drops a copy of itself as web.exe in the
C:\inetpub\wwwroot directory. It also replaces the file
default.htm (which will be the home page of the website if the
default installation was used) in the C:\inetpub\wwwroot
directory. The copy of default.htm created by the worm will
download the worm (web.exe) to the computer of users visiting
the website.
The worm drops itself into the Windows directory as karen.exe
and sets the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen =
C:\<windows directory>\karen.exe
so that this file will run on Windows startup.
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32gokara.html
http://www.sarc.com/avcenter/venc/data/w32.gokar.a@mm.html
Facebook
Twitter