posted 12-18-2001 10:50 AM               

CHARACTERISTICS
Win32.Gokar is a worm spreading via e-mail using Microsoft Outlook.

The worm arrives attached to an e-mail message with a variable but predefined Subject line and message body.

The text in the Subject line is chosen from the following list:

"If I were God and didn't believe in myself would it be blasphemy"
"The A-Team VS KnightRider ... who would win ?"
"Just one kiss, will make it better. just one kiss, and we will be alright."
"I can't help this longing, comfort me."
"And I miss you most of all, my darling ..."
"... When autumn leaves start to fall"
"It's dark in here, you can feel it all around. The underground."
"I will always be with you sometimes black sometimes white ..."
".. and there's no need to be scared, you re always on my mind."
"You just take a giant step, one step higher."
"The air will hold you if you try, trust my wings of desire. Glory, Glorified......."
"The horizons lean forward, offering us space to place new steps of change."
"I like this calm, moments before the storm"
"Darling, when did you fall..when was it over ?"
"Will you meet me .... and we'll fly away ?!"

The message body is then chosen from the following list:

"You should like this, it could have been made for you
speak to you later
[sender name]"

"Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
[sender name]"

"Happy Birthday
Yeah ok, so it's not yours it's mine
still cause for a celebration though, check out the details I attached
[sender name]"

"This made me laugh
Got some more stuff to tell you later but I can't stop right now
so I'll email you later or give you a ring if thats ok ?!
Speak to you later
[sender name]"

The name of the attached file is also variable and is comprised of the following parts: [X][X][X][11 digits][X].[Y], where [X] is one of:

jhfxvc
cgfd2
trevc
t6tr
ffdasf
glkfh
fhjdv
qesac
kujzv
weafs
****
rewfd
gfdsf
hgbv
fdsc
p0olik
3tgf
rf43dr
t54refd
ut545a
r4354gkjw
vgrewu
xw54re
y343rv
z3vdf

and [Y] is one of:

exe
scr
pif
com
bat

This process will result in an attachment that may appear similar to the following example:
"rewfdrewfdrewfd65432109876rewfd.pif"

When the attachment is executed the worm copies itself to the Windows directory as: "karen.exe" and sets its attribute to "Hidden". It also modifies the registry in order to execute at the system re-start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen = %Windows%\Karen.exe

You might wanna try this. http://www.vcatch.com/

It protect your system from e-mail bound viruses. Its free, small but it only detects and deletes viruses (doesn't clean, if you have it already)

The server is slower than a snail with a limp, so I have added it to our Mail Responder so if you click this link and then send the mail it will create the file will be mailed to you.

posted 12-19-2001 12:15 PM               

To Colin & the rest of TRLE community.

I have looked at the VCatch site and tried to download their program from the ftp address.

However - according to the Sophos Anti-Virus package on my machine - the default page in their ftp directory (ftp://www.vcatch.com/default.htm) is infected with the Unix/SadMind virus.

I have made them aware of this.

Either this is a deliberate act, or their Anti-Virus software isn't up to much (I presume they use their own software) or they have been hacked (which means their security isn't up to scratch).

Either way I'd stay away from there until they have cleaned up their act!

posted 12-19-2001 01:22 PM               

well blow me down!

thank you for the warning Dave, I almost opened that program!