Skip to main content /TECH with IDG.net
CNN.com /TECH
CNN TV
EDITIONS





'Gokar' worm spread by e-mail and chat

itworld.com
graphic


By Sam Costello
IDG News Service, Boston Bureau

(IDG) -- A new worm called "Gokar" has begun to spread on the Internet via e-mail, the chat program mIRC and the Web, according to a trio of antivirus firms.

The worm is not known to be destructive and has not yet been reported to have infected many systems. But as with any mass-mailer worm, it could become a nuisance as unsuspecting users spread it.

Like other mass-mailing worms such as "Anna Kournikova" and "Badtrans," Gokar spreads through Microsoft's Outlook and Outlook Express e-mail clients when a user clicks on an attachment sent with the infected message, according to antivirus firms Symantec, F-Secure and Trend Micro.

Infected e-mail arrives in user inboxes with dozens of combinations of different subject lines, body messages and filenames, although each attachment will end with the .pif, .scr, .exe, .com or .bat extensions, the companies said.

IDG.net INFOCENTER
IDG.net
Related IDG.net Stories
Features
Visit an IDG site


IDG.net search



When the attachment is double-clicked, the worm installs a file called Karen.exe on the infected system and mails itself to all addresses listed in the computer's address book. The worm then runs every time the infected computer is booted up. To find out if your system is infected, run a search for the Karen.exe file.

The worm also uses the chat program mIRC (Internet Relay Chat), the companies said. Gokar searches an infected PC for the mIRC application. If it finds it, it attempts to infect IRC users in the same discussion, or channel, as the infected system whenever the application is started, according to Trend Micro.

Lastly, if an infected system is running Microsoft's IIS (Internet Information Services) Web server software, the worm will modify the default Web page on the system and offer users visiting the site a chance to download the worm, according to F-Secure. An infected Web site will be changed to display the text "We are Forever" and point users to a link to download a file called Web.exe, which contains the Gokar worm, according to Symantec.

The "Nimda" worm also defaced Web sites and downloaded files to the computers of users viewing the site. Unlike Nimda, which automatically downloaded a file through the browser, Gokar requires that the user click a link to download the worm. Both Nimda and "Code Red" exploited IIS to assist in their spread.

Users should check with their antivirus companies for software updates. Companies are urged to block attachments, especially .exe., .scr. and .pif files, at their mail gateways to avoid infection.

Sam Costello is a correspondent for the IDG News Service.



 
 
 
 


RELATED IDG.net STORIES:
RELATED SITES:
• Microsoft
• mIRC (Internet Relay Chat)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


 Search   

Back to the top