FROM SOPHOS: Name: W32/Gokar-A Type: Win32 worm Date: 13 December 2001 A virus identity file (IDE) which provides protection is available now from our website and will be incorporated into the February 2002 (3.54) release of Sophos Anti-Virus. At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description: W32/Gokar-A spreads via the internet by sending itself as an email attachment to addresses in the Outlook address book. The worm arrives in an email with the following characteristics: The subject line and body text of the email are chosen randomly from a selection including: Subject: "If I were God and didn't belive in myself would it be blasphemy" "The A-Team VS KnightRider ... who would win ?" "Just one kiss, will make it better. just one kiss, and we will be alright." "I can't help this longing, comfort me." "And I miss you most of all, my darling ..." "... When autumn leaves start to fall" "It's dark in here, you can feel it all around. The underground." "I will always be with you sometimes black sometimes white ..." Body: "Happy Birthday Yeah ok, so it's not yours it's mine :) still cause for a celebration though, check out the details I attached" "Hey They say love is blind ... well, the attachment probably proves it. Pretty good either way though, isn't it ?" "You should like this, it could have been made for you speak to you later" The attachment filename will also be random characters with a BAT, COM, EXE, SCR or PIF extension. W32/Gokar-A also tries to spread via mIRC by overwriting the script.ini file of the mIRC client so that it will send the worm to other mIRC users. If the infected computer is being used as a web server via Personal Web Server or IIS (Microsoft Internet Information Server), then the worm drops a copy of itself as web.exe in the C:\inetpub\wwwroot directory. It also replaces the file default.htm (which will be the home page of the website if the default installation was used) in the C:\inetpub\wwwroot directory. The copy of default.htm created by the worm will download the worm (web.exe) to the computer of users visiting the website. The worm drops itself into the Windows directory as karen.exe and sets the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen = C:\<windows directory>\karen.exe so that this file will run on Windows startup. Download the IDE file from http://www.sophos.com/downloads/ide/gokar-a.ide Read the analysis at http://www.sophos.com/virusinfo/analyses/w32gokara.html Download a ZIP file containing all the IDE files available for the current version of Sophos Anti-Virus from http://www.sophos.com/downloads/ide/ides.zip Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html To unsubscribe from this service please visit http://www.sophos.com/virusinfo/notifications > Kevin Jagh > VP, Manager > SI&DS/Technology Support > 570 Washington St. 2nd Floor > 212-647-2231 > 888-MERRIL0, PIN is Kevin Jagh > 9121472at_private > Kevin_Jaghat_private > -----Original Message----- From: Jeremy G Byrne [mailto:jeremyat_private] Sent: Wednesday, December 12, 2001 11:52 PM To: incidentsat_private Subject: Gokar Worm? Hi All-- Just received a message cleaned by yahoogroups.com of something their NT-based "InterScan E-Mail VirusWall" product calls "WORM_GOKAR.A". The social engineering aspect of the carrier email is quite disturbing: >Subject: You just take a giant step, one step higher. [...] >Hey >They say love is blind ... well, the attachment probably >proves it. Pretty good either way though, isn't it ? >[PSEUDO NYM] (where [PSEUDO NYM] is the name of the person from whose account the email originates--which the worm must somehow be harvesting from extant email). The attachment had been replaced by yahoogroups' filters with the following message: >-- ****** Message from InterScan E-Mail VirusWall NT ****** ** WARNING! Attached file y343rvy343rvy343rv28835589575y343rv.pif contains: WORM_GOKAR.A virus Attempted to clean the file but it is not cleanable. It has been deleted. ***************** End of message *************** >-- The really odd thing is that I can't find any references to a "Gokar Worm" on google, google's usenet mirror, or on several specialist av sites I've checked. Is this a case of commercial non-disclosure? CYa, JEREMY ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 10:50:21 PST