I-Worm.Gokar, W32/Gokar-A, W32/[email protected]
, WORM_GOKAR.A, Win32.Gokar
Email-Worm.Win32.Gokar, Win32.HLLW.Karen, Win32/[email protected]
, W32/Gokar.1, Win32:Gokar
Category: Computer Worm
North and South America, Asia, Australia
12 Dec 2001
This Internet Worm has been observed by many antivirus developers to use a spreading routine that involves the sending of spam email messages. The [email protected]
usually would attach a copy of itself in an attempt to trick the recipient into launching the file and infecting his computer system. This threat relies on the stored email addresses in the compromised machine to send its malicious messages to unsuspecting computer users.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The file traces associated with the [email protected]
malware normally carries the file extension BAT, COM, PIF, SCR, and EXE among others. The filenames used may be chosen randomly from text strings hard coded into the Worm. Although known primarily as a mass mailing Worm, the [email protected]
actually makes use of three spreading routines to infect other computer systems and network environments. The first method is by harvesting all stored email addresses in the Microsoft Outlook address book. The [email protected]
Worm will hijack the user's account and send a spiked email message that is sent to the contacts without the user's knowledge. In most instances the recipients assume that the spiked email messages are authentic which accounts for the high success rate of the malware's infection.
The next method used by the [email protected]
is to create an initialization script to take over the functionalities of an Internet Relay Chat client. It will use the client to send its codes to the contact who will chat with the user of the infected computer system. The contact remains unaware of the infection and will unsuspectingly execute any sent file. The last method used by the [email protected]
Worm is to modify the default Web page for the IIS servers of the infected host. As part of its defense mechanism it will terminate any running security processes and protocols.