W32.Gokar.A@mm


Aliases: I-Worm.Gokar, W32/Gokar-A, W32/Gokar@MM, WORM_GOKAR.A, Win32.Gokar
Variants: Email-Worm.Win32.Gokar, Win32.HLLW.Karen, Win32/Gokar.A@mm, W32/Gokar.1, Win32:Gokar

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North and South America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 12 Dec 2001
Damage: Low

Characteristics: This Internet Worm has been observed by many antivirus developers to use a spreading routine that involves the sending of spam email messages. The W32.Gokar.A@mm usually would attach a copy of itself in an attempt to trick the recipient into launching the file and infecting his computer system. This threat relies on the stored email addresses in the compromised machine to send its malicious messages to unsuspecting computer users.

More details about W32.Gokar.A@mm

The file traces associated with the W32.Gokar.A@mm malware normally carries the file extension BAT, COM, PIF, SCR, and EXE among others. The filenames used may be chosen randomly from text strings hard coded into the Worm. Although known primarily as a mass mailing Worm, the W32.Gokar.A@mm actually makes use of three spreading routines to infect other computer systems and network environments. The first method is by harvesting all stored email addresses in the Microsoft Outlook address book. The W32.Gokar.A@mm Worm will hijack the user's account and send a spiked email message that is sent to the contacts without the user's knowledge. In most instances the recipients assume that the spiked email messages are authentic which accounts for the high success rate of the malware's infection.

The next method used by the W32.Gokar.A@mm is to create an initialization script to take over the functionalities of an Internet Relay Chat client. It will use the client to send its codes to the contact who will chat with the user of the infected computer system. The contact remains unaware of the infection and will unsuspectingly execute any sent file. The last method used by the W32.Gokar.A@mm Worm is to modify the default Web page for the IIS servers of the infected host. As part of its defense mechanism it will terminate any running security processes and protocols.