File KAREN.EXE in the Windows directory
For IIS servers: file C:\Inetpub\wwwroot\Web.exe
If you don't have BitDefender installed click here to download an evaluation version.
1. Make sure that you have the latest updates using BitDefender Live!;
2. Make the following changes in the windows registry:
Please make sure to modify only the values that are specified. It is also recommended to backup the Windows Registry before proceeding with these changes.
a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete the following key:
3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with Win32.Gokar.A@mm.
Costin Ionescu BitDefender Virus Researcher
This is a worm which uses 3 methods to spread:
- using Outlook to send infected e-mails
- using mIRC client to send itself to persons who will chat with the infected user
- modifying the default Web page of IIS servers.
To prevent behaviour detection the virus will try to close some antivirus monitors.
When the virus is executed it copies itself in the Windows directory under the name KAREN.EXE
and also with a random generated name composed from the following strings: tgfdfg, jhfxvc, cgfd2, trevc, t6tr, ffdasf, glkfh, fhjdv, qesac, kujzv, weafs, twat, rewfd, gfdsf, hgbv, fdsc, p0olik, 3tgf, rf43dr, t54refd, ut545a, r4354gkjw, vgrewu, xw54re, y343rv, z3vdf
and with one or more extensions: .pif, .scr, .exe, .com, .bat
This file will be attached in the infected e-mails that will be sent.
The e-mail has the following format: Subject:
one of these (in order of probability to appear): - If I were God and didn't belive in myself would it be blasphemy
- The A-Team VS KnightRider ... who would win ?
- Just one kiss, will make it better. just one kiss, and we will be alright.
- I can't help this longing, comfort me.
- And I miss you most of all, my darling ...
- ... When autumn leaves start to fall
- It's dark in here, you can feel it all around.
- I will always be with you sometimes black sometimes white ...
- .. and there's no need to be scared, you re always on my mind.
- You just take a giant step, one step higher.
- The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
- The horizons lean forward, offering us space to place new steps of change.
- I like this calm, moments before the storm
- Darling, when did you fall..when was it over ?
- Will you meet me .... and we
You should like this, it could have been made for you
speak to you later
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn\'t it ?
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached
This made me laugh
Got some more stuff to tell you later but I'can't stop right now
so I'll email you later or give you a ring if thats ok ?!
Speak to you later
At the end of the body the virus writes the victim's name (as declared in Windows' installation).
With this e-mail prepared the virus sends it to all the contacts in Outlook Address Book.
An example of an infected e-mail is this:
After this the virus creates the following key in the registry to be executed each time Windows is restarted: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Karen
with the value "%WinDir%\karen.exe"
It also search for gone.scr
in the System directory and deletes it if is found. This file is created by the Win32.Gone.A@mm virus.
If the directory c:\mirc
exists the virus will drop the file script.ini
which will try to send the virus to each person who will chat with the victim. Also it will ignore some phrases which can be used to notify the victim that it is infected.
If the virus finds the folder C:\Inetpub\wwwroot
(the default folder for IIS Web service) the virus will copy the file default.htm
and overwrites the default page to look like this:
and when this page is accessed the browser will try do download a file Web.exe
where the virus also copies itself.
A destructive action, on IIS servers is that when the virus is executed second time, it will practically delete the original default web page because redesi.htm
will be overwritten with the previous infected default.htm