McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm/Gokar (Prognet)

• W32.Gokar.A@mm (NAV)

• W32/Gokar.htm

• Win32.Gokar (CA)

• Wn32.HLLW.Karen (DrWeb)

• WORM_GOKAR.A (Trend)

Characteristics

This worm spreads over Internet Relay Chat, e-mail, and by serving an infected page to users if the infected computer is running a web server.

This worm typically arrives in an email message containing the following information:

Subject:: I were God and didn't belive in myself would it be blasphemy
or Subject: Just one kiss, will make it better. just one kiss, and we will be alright.
or Subject: I like this calm, moments before the storm
or Subject: .. and there's no need to be scared, you re always on my mind.
or Subject: The horizons lean forward, offering us space to place new steps of change.
or Subject: The A-Team VS KnightRider ... who would win ?
or Subject: I can't help this longing, comfort me.
or Subject: And I miss you most of all, my darling ...
or Subject: ... When autumn leaves start to fall
or Subject: I will always be with you sometimes black sometimes white ...
or Subject: The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
or Subject: Darling, when did you fall..when was it over ?
or Subject: You just take a giant step, one step higher.
or Subject: It's dark in here, you can feel it all around. The underground.

Body:
Happy Birthday
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached
%Sender's name%

or Body:
Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
%Sender's name%

or Body:
You should like this, it could have been made for you
speak to you later
%Sender's name%

Attachment: (Random letters and numbers).bat
or Attachment: (Random letters and numbers).com
or Attachment: (Random letters and numbers).exe
or Attachment: (Random letters and numbers).pif
or Attachment: (Random letters and numbers).scr

Executing this attachment infects the local machine. The worm copies itself to the WINDOWS directory as Karen.exe and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Karen=C:\WINDOWS\karen.exe

It tries to send itself to all users found in the Microsoft Outlook Address book.

It drops a mIRC script called script.ini which will send the worm to other users when they enter the same IRC channel as an infected user. If someone in the same channel as the infected user says something containing the text

• "karen", the user's alias is changed to "W32_Karen"
• "worm", the user's alias is changed to "W32Karen1"
• "virus", the user's alias is changed to "KarenWorm"
• "sex", the user's alias is changed to "KarenGobo"
• "infected" or "dcc", the user will ignore the person who said those words

If someone sends a private message to the infected user containing the text

• "script", "infected" or "dcc", the user will ignore the person who said those words
• "e", the infected user will join the channel "#teamvirus"

If the infected user is running a web server from the default installation path on the C: drive (c:\inetpub\wwwroot), the worm will also try to spread to users who visit web server. It will copy itself to c:\inetpub\wwwroot\web.exe, and create a c:\inetpub\wwwroot\default.htm which will automatically prompt the user to run/save the worm (WEB.EXE).

Symptoms

Presence of %WinDIr%\Karen.exe

Method of Infection

This worm arrives as an email attachment, IRC message attachment, or web page download. Executing this file infects the local system which is then used to propagate the virus via email (Microsoft Outlook), IRC (mIRC client script), and web serving (Microsoft IIS/Personal Web Server).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm/Gokar (Prognet)

• W32.Gokar.A@mm (NAV)

• W32/Gokar.htm

• Win32.Gokar (CA)

• Wn32.HLLW.Karen (DrWeb)

• WORM_GOKAR.A (Trend)

Characteristics

Characteristics -

This worm spreads over Internet Relay Chat, e-mail, and by serving an infected page to users if the infected computer is running a web server.

This worm typically arrives in an email message containing the following information:

Subject:: I were God and didn't belive in myself would it be blasphemy
or Subject: Just one kiss, will make it better. just one kiss, and we will be alright.
or Subject: I like this calm, moments before the storm
or Subject: .. and there's no need to be scared, you re always on my mind.
or Subject: The horizons lean forward, offering us space to place new steps of change.
or Subject: The A-Team VS KnightRider ... who would win ?
or Subject: I can't help this longing, comfort me.
or Subject: And I miss you most of all, my darling ...
or Subject: ... When autumn leaves start to fall
or Subject: I will always be with you sometimes black sometimes white ...
or Subject: The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
or Subject: Darling, when did you fall..when was it over ?
or Subject: You just take a giant step, one step higher.
or Subject: It's dark in here, you can feel it all around. The underground.

Body:
Happy Birthday
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached
%Sender's name%

or Body:
Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
%Sender's name%

or Body:
You should like this, it could have been made for you
speak to you later
%Sender's name%

Attachment: (Random letters and numbers).bat
or Attachment: (Random letters and numbers).com
or Attachment: (Random letters and numbers).exe
or Attachment: (Random letters and numbers).pif
or Attachment: (Random letters and numbers).scr

Executing this attachment infects the local machine. The worm copies itself to the WINDOWS directory as Karen.exe and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Karen=C:\WINDOWS\karen.exe

It tries to send itself to all users found in the Microsoft Outlook Address book.

It drops a mIRC script called script.ini which will send the worm to other users when they enter the same IRC channel as an infected user. If someone in the same channel as the infected user says something containing the text

• "karen", the user's alias is changed to "W32_Karen"
• "worm", the user's alias is changed to "W32Karen1"
• "virus", the user's alias is changed to "KarenWorm"
• "sex", the user's alias is changed to "KarenGobo"
• "infected" or "dcc", the user will ignore the person who said those words

If someone sends a private message to the infected user containing the text

• "script", "infected" or "dcc", the user will ignore the person who said those words
• "e", the infected user will join the channel "#teamvirus"

If the infected user is running a web server from the default installation path on the C: drive (c:\inetpub\wwwroot), the worm will also try to spread to users who visit web server. It will copy itself to c:\inetpub\wwwroot\web.exe, and create a c:\inetpub\wwwroot\default.htm which will automatically prompt the user to run/save the worm (WEB.EXE).

Symptoms

Symptoms -

Presence of %WinDIr%\Karen.exe

Method of Infection

Method of Infection -

This worm arrives as an email attachment, IRC message attachment, or web page download. Executing this file infects the local system which is then used to propagate the virus via email (Microsoft Outlook), IRC (mIRC client script), and web serving (Microsoft IIS/Personal Web Server).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A