Home / malwarePDF  

Win32.Gokar.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Gokar.A@mm is also known as N/A.

Explanation :

This is a worm which uses 3 methods to spread:
- using Outlook to send infected e-mails
- using mIRC client to send itself to persons who will chat with the infected user
- modifying the default Web page of IIS servers.

To prevent behaviour detection the virus will try to close some antivirus monitors.

When the virus is executed it copies itself in the Windows directory under the name KAREN.EXE and also with a random generated name composed from the following strings:
tgfdfg, jhfxvc, cgfd2, trevc, t6tr, ffdasf, glkfh, fhjdv, qesac, kujzv, weafs, twat, rewfd, gfdsf, hgbv, fdsc, p0olik, 3tgf, rf43dr, t54refd, ut545a, r4354gkjw, vgrewu, xw54re, y343rv, z3vdf
and with one or more extensions: .pif, .scr, .exe, .com, .bat
Example: glkfhglkfhglkfh142125362725glkfh.exe
This file will be attached in the infected e-mails that will be sent.

The e-mail has the following format:

Subject: one of these (in order of probability to appear):
- If I were God and didn't belive in myself would it be blasphemy
- The A-Team VS KnightRider ... who would win ?
- Just one kiss, will make it better. just one kiss, and we will be alright.
- I can't help this longing, comfort me.
- And I miss you most of all, my darling ...
- ... When autumn leaves start to fall
- It's dark in here, you can feel it all around.
- I will always be with you sometimes black sometimes white ...
- .. and there's no need to be scared, you re always on my mind.
- You just take a giant step, one step higher.
- The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
- The horizons lean forward, offering us space to place new steps of change.
- I like this calm, moments before the storm
- Darling, when did you fall..when was it over ?
- Will you meet me .... and we

Body:

You should like this, it could have been made for you
speak to you later

Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?

Happy Birthday
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached

This made me laugh
Got some more stuff to tell you later but I'can't stop right now
so I'll email you later or give you a ring if thats ok ?!
Speak to you later


At the end of the body the virus writes the victim's name (as declared in Windows' installation).

With this e-mail prepared the virus sends it to all the contacts in Outlook Address Book.
An example of an infected e-mail is this:



After this the virus creates the following key in the registry to be executed each time Windows is restarted:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunKaren
with the value "%WinDir%karen.exe"
It also search for gone.scr in the System directory and deletes it if is found. This file is created by the Win32.Gone.A@mm virus.

If the directory c:mirc exists the virus will drop the file script.ini which will try to send the virus to each person who will chat with the victim. Also it will ignore some phrases which can be used to notify the victim that it is infected.

If the virus finds the folder C:Inetpubwwwroot (the default folder for IIS Web service) the virus will copy the file default.htm as redesi.htm and overwrites the default page to look like this:



and when this page is accessed the browser will try do download a file Web.exe where the virus also copies itself.

A destructive action, on IIS servers is that when the virus is executed second time, it will practically delete the original default web page because redesi.htm will be overwritten with the previous infected default.htm.

Last update 21 November 2011

 

TOP