McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Gokar@MM

This page shows details and results of our analysis on the malware W32/Gokar@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2001-12-10

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4176 (2001-12-12)

Updated DAT

4317 (2004-01-21)

 Minimum Engine

5.1.00

File Length

14336

Description Added

2001-12-12

Description Modified

2002-11-20

Malware Proliferation

Characteristics

This worm spreads over Internet Relay Chat, e-mail, and by serving an infected page to users if the infected computer is running a web server.

This worm typically arrives in an email message containing the following information:

Subject:: I were God and didn't belive in myself would it be blasphemy
or Subject: Just one kiss, will make it better. just one kiss, and we will be alright.
or Subject: I like this calm, moments before the storm
or Subject: .. and there's no need to be scared, you re always on my mind.
or Subject: The horizons lean forward, offering us space to place new steps of change.
or Subject: The A-Team VS KnightRider ... who would win ?
or Subject: I can't help this longing, comfort me.
or Subject: And I miss you most of all, my darling ...
or Subject: ... When autumn leaves start to fall
or Subject: I will always be with you sometimes black sometimes white ...
or Subject: The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
or Subject: Darling, when did you fall..when was it over ?
or Subject: You just take a giant step, one step higher.
or Subject: It's dark in here, you can feel it all around. The underground.

Body:
Happy Birthday
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached
%Sender's name%

or Body:
Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
%Sender's name%

or Body:
You should like this, it could have been made for you
speak to you later
%Sender's name%

Attachment: (Random letters and numbers).bat
or Attachment: (Random letters and numbers).com
or Attachment: (Random letters and numbers).exe
or Attachment: (Random letters and numbers).pif
or Attachment: (Random letters and numbers).scr

Executing this attachment infects the local machine. The worm copies itself to the WINDOWS directory as Karen.exe and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Karen=C:\WINDOWS\karen.exe

It tries to send itself to all users found in the Microsoft Outlook Address book.

It drops a mIRC script called script.ini which will send the worm to other users when they enter the same IRC channel as an infected user. If someone in the same channel as the infected user says something containing the text

  • "karen", the user's alias is changed to "W32_Karen"
  • "worm", the user's alias is changed to "W32Karen1"
  • "virus", the user's alias is changed to "KarenWorm"
  • "sex", the user's alias is changed to "KarenGobo"
  • "infected" or "dcc", the user will ignore the person who said those words
If someone sends a private message to the infected user containing the text
  • "script", "infected" or "dcc", the user will ignore the person who said those words
  • "e", the infected user will join the channel "#teamvirus"
If the infected user is running a web server from the default installation path on the C: drive (c:\inetpub\wwwroot), the worm will also try to spread to users who visit web server. It will copy itself to c:\inetpub\wwwroot\web.exe, and create a c:\inetpub\wwwroot\default.htm which will automatically prompt the user to run/save the worm (WEB.EXE).

Symptoms

Presence of %WinDIr%\Karen.exe

Method of Infection

This worm arrives as an email attachment, IRC message attachment, or web page download. Executing this file infects the local system which is then used to propagate the virus via email (Microsoft Outlook), IRC (mIRC client script), and web serving (Microsoft IIS/Personal Web Server).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English