Classification

Category :

Malware

Type :

-

Aliases :

Gokar, W32/Gokar@mm, Karen

Summary

Gokar is a combination of email, IRC and IIS web worm. It was found in the wild early on December 13th, 2001.Gokar sends itself via Microsoft Outlook, using a long list of variable subject fields, contents and attachment names. The attachment always has an extension of PIF, SCR, COM, EXE or BAT.

An infected machine can be manually detected by checking the existance of KAREN.EXE in Windows directory.

If the infected machine is working as a web server, the worm will modify the Microsoft IIS starting page to offer WEB.EXE to be downloaded by all visitors to the website.

Gokar also modifies mIRC chat client configuration to spread to worm further via IRC chats.

Gokar is detected by F-Secure Anti-Virus update shipped on 13th of December.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is written in Visual Basic and has been compressed by the UPX file compressor.

The worm infects a computer when a user opens an infected attachment. The worm copies itself as KAREN.EXE into Windows folder and modifies Registry to be always run with Windows. The worm's file has hidden attribute. Then the worm creates the following key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "Karen" = "\karen.exe"  

Where <windir> is Windows directory name.

After that the worm opens Outlook Address book and sends itself to all email addresses it can find there. The infected messages can have different subjects and bodies:

Subject can be one of the following:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

Message bodies can contain one of the following:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

After the body the worm puts Windows registered user name (the name of a person Windows is registered to).

The attachment name is randomly composed from a few parts that are hardcoded in the worm's body. The attachment can have .PIF, .SCR, .EXE, .BAT and .COM extension. Example:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

Here's an example of an infected message:

The worm also spreads via IRC. It replaces mIRC chat client's SCRIPT.INI file with its own one. This script allows the worm to send itself as KAREN.EXE to all people joining an IRC channel where an infected user is present. The worm sends itself with the following message:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

The worm looks for specific text messages in IRC channel and can change user's nickname to 'W32_Karen', 'W32Karen1', 'KarenWorm', 'KarenGobo' or join #teamvirus channel on certain messages.

The worm can also spread from a webpage. It checks if the infected machine has Microsoft IIS web server installed. It it is found the worm copies itself as WEB.EXE to root IIS folder, renames DEFAULT.HTM to REDESI.HTM (note: Redesi is the name of another virus) and creates its own DEFAULT.HTM page. If a visitor of a website opens this page, he will be asked to download WEB.EXE file. If a user accepts to 'Run this file from current location', the worm will be downloaded and activated on his system.

The worm looks for and terminates processes belonging to anti-virus and security software. The following processes are killed:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

Gokar is detected by F-Secure Anti-Virus update shipped on 13th of December.

Removal Instructions

To remove Gokar worm from your system please do the following:

1. Download and run the following REG file:

ftp://ftp.europe.f-secure.com/anti-virus/tools/gokardis.reg

2. Restart your system and scan your hard drive with F-Secure Anti-Virus (default settings). When FSAV detects Gokar infection in KAREN.EXE located in Windows directory, select 'Delete' disinfection action.

3. If Gokar worm infected a webserver, delete WEB.EXE file from C:\inetpub\wwwroot\ folder and rename REDESI.HTM (the original startup page renamed by the worm) back to DEFAULT.HTM. To do this open DOS session and type at command prompt (mind spaces):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Karen" = "\karen.exe"

Press 'Enter' after each line.