RE: CRIME Gokar

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Thu Dec 13 2001 - 11:01:26 PST

  • Next message: Geo: "CRIME List Issues"

    Detectable by our normal DAT release 4176, released yesterday.  Which means
    most corporates that update normally would already be protected.
    
    Data shows that a bunch of infections hit Australia last night and that's
    about it.
    
    Jimmy
    
    -----Original Message-----
    From: T. Kenji Sugahara
    To: Crime
    Sent: 12/13/01 10:25 AM
    Subject: CRIME Gokar
    
    If you haven't already heard (from IDG).
    It looks like your standard .pif, .scr, .exe, .com, .bat worm.  I
    haven't
    run into it yet.  (surprisingly since I seem to be a magnet for these
    things):
    
    ----
    A new worm called "Gokar" began to spread across the Internet Thursday
    via
    e-mail, the chat program mIRC and the Web, according to a trio of
    antivirus
    firms.
    
    The worm is not destructive and has not yet infected many systems, but
    as
    with any mass-mailer worm, could become a nuisance as unsuspecting users
    spread it. Like other mass-mailing worms such as Anna Kournikova or
    Badtrans, Gokar spreads through Microsoft Corp.'s Outlook and Outlook
    Express e-mail clients when a user clicks on an attachment sent with the
    infected message, according to antivirus firms Symantec Corp., F-Secure
    Corp. and Trend Micro Inc. Infected e-mail arrives in user inboxes with
    dozens of combinations of different subject lines, body messages and
    filenames, though each attachment will end with the .PIF, .SCR, .EXE.,
    .COM
    or .BAT extensions, the companies said.
    
    When the attachment is double-clicked, the worm installs a file called
    Karen.exe on the infected system and mails itself to all addresses
    listed in
    the computer's address book. The worm then runs every time the infected
    computer is booted up. Whether a system is infected or not can be
    determined
    by searching for the Karen.exe file.
    
    The worm also uses the chat program mIRC (Internet Relay Chat), the
    companies said. Gokar searches the infected PC for the mIRC application,
    and
    if it finds it, attempts to infect IRC users in the same discussion, or
    channel, as the infected system whenever the application is started,
    according to Trend Micro.
    
    Lastly, if an infected system is running Microsoft's IIS (Internet
    Information Services) Web server software, the worm will modify the
    default
    Web page on the system and offer users visiting the site a chance to
    download the worm, according to F-Secure. An infected Web site will be
    changed to display the text "We are Forever" and point users to a link
    to
    download a file called Web.exe, which contains the Gokar worm, according
    to
    Symantec.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:37:33 PDT