My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Gokar.A@mm

HIGH
LOW
14336 bytes
(N/A)

Symptoms

  • File KAREN.EXE in the Windows directory
  • For IIS servers: file C:\Inetpub\wwwroot\Web.exe
  • Removal instructions:

    If you don't have BitDefender installed click here to download an evaluation version.

    1. Make sure that you have the latest updates using BitDefender Live!;

    2. Make the following changes in the windows registry:

    Please make sure to modify only the values that are specified. It is also recommended to backup the Windows Registry before proceeding with these changes.


    a) Select Run... from the Start menu, then type regedit and press Enter;
    b) Delete the following key:


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Karen




    3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
    user for action"). Choose to delete all the files infected with Win32.Gokar.A@mm.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This is a worm which uses 3 methods to spread:
    - using Outlook to send infected e-mails
    - using mIRC client to send itself to persons who will chat with the infected user
    - modifying the default Web page of IIS servers.

    To prevent behaviour detection the virus will try to close some antivirus monitors.

    When the virus is executed it copies itself in the Windows directory under the name KAREN.EXE and also with a random generated name composed from the following strings:
    tgfdfg, jhfxvc, cgfd2, trevc, t6tr, ffdasf, glkfh, fhjdv, qesac, kujzv, weafs, twat, rewfd, gfdsf, hgbv, fdsc, p0olik, 3tgf, rf43dr, t54refd, ut545a, r4354gkjw, vgrewu, xw54re, y343rv, z3vdf
    and with one or more extensions: .pif, .scr, .exe, .com, .bat
    Example: glkfhglkfhglkfh142125362725glkfh.exe
    This file will be attached in the infected e-mails that will be sent.

    The e-mail has the following format:

    Subject: one of these (in order of probability to appear):
    - If I were God and didn't belive in myself would it be blasphemy
    - The A-Team VS KnightRider ... who would win ?
    - Just one kiss, will make it better. just one kiss, and we will be alright.
    - I can't help this longing, comfort me.
    - And I miss you most of all, my darling ...
    - ... When autumn leaves start to fall
    - It's dark in here, you can feel it all around.
    - I will always be with you sometimes black sometimes white ...
    - .. and there's no need to be scared, you re always on my mind.
    - You just take a giant step, one step higher.
    - The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
    - The horizons lean forward, offering us space to place new steps of change.
    - I like this calm, moments before the storm
    - Darling, when did you fall..when was it over ?
    - Will you meet me .... and we

    Body:

    You should like this, it could have been made for you
    speak to you later

    Hey
    They say love is blind ... well, the attachment probably proves it.
    Pretty good either way though, isn\'t it ?

    Happy Birthday
    Yeah ok, so it's not yours it's mine :)
    still cause for a celebration though, check out the details I attached

    This made me laugh
    Got some more stuff to tell you later but I'can't stop right now
    so I'll email you later or give you a ring if thats ok ?!
    Speak to you later


    At the end of the body the virus writes the victim's name (as declared in Windows' installation).

    With this e-mail prepared the virus sends it to all the contacts in Outlook Address Book.
    An example of an infected e-mail is this:





    After this the virus creates the following key in the registry to be executed each time Windows is restarted:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Karen
    with the value "%WinDir%\karen.exe"
    It also search for gone.scr in the System directory and deletes it if is found. This file is created by the Win32.Gone.A@mm virus.

    If the directory c:\mirc exists the virus will drop the file script.ini which will try to send the virus to each person who will chat with the victim. Also it will ignore some phrases which can be used to notify the victim that it is infected.

    If the virus finds the folder C:\Inetpub\wwwroot (the default folder for IIS Web service) the virus will copy the file default.htm as redesi.htm and overwrites the default page to look like this:






    and when this page is accessed the browser will try do download a file Web.exe where the virus also copies itself.

    A destructive action, on IIS servers is that when the virus is executed second time, it will practically delete the original default web page because redesi.htm will be overwritten with the previous infected default.htm.