[email protected]

Aliases: I-Worm.Gokar, W32/Gokar-A, W32/[email protected], WORM_GOKAR.A, Win32.Gokar
Variants: Email-Worm.Win32.Gokar, Win32.HLLW.Karen, Win32/[email protected], W32/Gokar.1, Win32:Gokar

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North and South America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 12 Dec 2001
Damage: Low

Characteristics: This Internet Worm has been observed by many antivirus developers to use a spreading routine that involves the sending of spam email messages. The [email protected] usually would attach a copy of itself in an attempt to trick the recipient into launching the file and infecting his computer system. This threat relies on the stored email addresses in the compromised machine to send its malicious messages to unsuspecting computer users.

More details about [email protected]

The file traces associated with the [email protected] malware normally carries the file extension BAT, COM, PIF, SCR, and EXE among others. The filenames used may be chosen randomly from text strings hard coded into the Worm. Although known primarily as a mass mailing Worm, the [email protected] actually makes use of three spreading routines to infect other computer systems and network environments. The first method is by harvesting all stored email addresses in the Microsoft Outlook address book. The [email protected] Worm will hijack the user's account and send a spiked email message that is sent to the contacts without the user's knowledge. In most instances the recipients assume that the spiked email messages are authentic which accounts for the high success rate of the malware's infection.

The next method used by the [email protected] is to create an initialization script to take over the functionalities of an Internet Relay Chat client. It will use the client to send its codes to the contact who will chat with the user of the infected computer system. The contact remains unaware of the infection and will unsuspectingly execute any sent file. The last method used by the [email protected] Worm is to modify the default Web page for the IIS servers of the infected host. As part of its defense mechanism it will terminate any running security processes and protocols.