Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

SOPHOS REPLY: RE: Gokar Worm?

From: "Jagh, Kevin (TGA/MLOL)" <KJagh () exchange ml com>
Date: Thu, 13 Dec 2001 13:42:10 -0500
FROM SOPHOS:

Name: W32/Gokar-A
Type: Win32 worm
Date: 13 December 2001

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the February 2002 (3.54) release of Sophos Anti-Virus.

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

Description:

W32/Gokar-A spreads via the internet by sending itself as an
email attachment to addresses in the Outlook address book. The
worm arrives in an email with the following characteristics:

The subject line and body text of the email are chosen randomly
from a selection including:

Subject:

  "If I were God and didn't belive in myself would it be
  blasphemy"
  "The A-Team VS KnightRider ... who would win ?"
  "Just one kiss, will make it better. just one kiss, and we will
  be alright."
  "I can't help this longing, comfort me."
  "And I miss you most of all, my darling ..."
  "... When autumn leaves start to fall"
  "It's dark in here, you can feel it all around. The
  underground."
  "I will always be with you sometimes black sometimes white ..."

Body:

  "Happy Birthday
  Yeah ok, so it's not yours it's mine :)
  still cause for a celebration though, check out the details I
  attached"

  "Hey
  They say love is blind ... well, the attachment probably proves
  it.
  Pretty good either way though, isn't it ?"

  "You should like this, it could have been made for you speak to
  you later"

The attachment filename will also be random characters with a
BAT, COM, EXE, SCR or PIF extension.

W32/Gokar-A also tries to spread via mIRC by overwriting the
script.ini file of the mIRC client so that it will send the worm
to other mIRC users.

If the infected computer is being used as a web server via
Personal Web Server or IIS (Microsoft Internet Information
Server), then the worm drops a copy of itself as web.exe in the
C:\inetpub\wwwroot directory. It also replaces the file
default.htm (which will be the home page of the website if the
default installation was used) in the C:\inetpub\wwwroot
directory. The copy of default.htm created by the worm will
download the worm (web.exe) to the computer of users visiting
the website.

The worm drops itself into the Windows directory as karen.exe
and sets the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen =
C:\<windows directory>\karen.exe

so that this file will run on Windows startup.


Download the IDE file from
http://www.sophos.com/downloads/ide/gokar-a.ide

Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32gokara.html

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications




Kevin Jagh
VP, Manager
SI&DS/Technology Support
570 Washington St. 2nd Floor
212-647-2231
888-MERRIL0, PIN is Kevin Jagh
9121472 () skytel com
Kevin_Jagh () ml com




-----Original Message-----
From: Jeremy G Byrne [mailto:jeremy () cygnus uwa edu au]
Sent: Wednesday, December 12, 2001 11:52 PM
To: incidents () securityfocus com
Subject: Gokar Worm?


Hi All--

Just received a message cleaned by yahoogroups.com of
something their NT-based "InterScan E-Mail VirusWall"
product calls "WORM_GOKAR.A". The social engineering
aspect of the carrier email is quite disturbing:


Subject: You just take a giant step, one step higher.

[...]

Hey
They say love is blind ... well, the attachment probably 
proves it. Pretty good either way though, isn't it ?
[PSEUDO NYM]


(where [PSEUDO NYM] is the name of the person from whose
account the email originates--which the worm must somehow
be harvesting from extant email).

The attachment had been replaced by yahoogroups' filters
with the following message:


--


****** Message from InterScan E-Mail VirusWall NT ******

** WARNING! Attached file y343rvy343rvy343rv28835589575y343rv.pif contains:

     WORM_GOKAR.A virus

   Attempted to clean the file but it is not cleanable.
   It has been deleted.
*****************     End of message     ***************


--


The really odd thing is that I can't find any references
to a "Gokar Worm" on google, google's usenet mirror, or
on several specialist av sites I've checked. Is this a 
case of commercial non-disclosure?

CYa,
JEREMY


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: