Win32/Gokar

Win32:Gokar je worm, kter² se Üφ°φ pomocφ elektronickΘ poÜty, IRC nebo p°es nata₧enφ modifikovanΘ HTML strßnky z naka₧enΘho poΦφtaΦe, na kterΘm b∞₧φ MS IIS Web Server. Tak jako °ada jin²ch, tento worm je napsßn v jazyce Visual Basic a zabalen programem. Je dlouh² 14336 slabik. Worm se Üφ°φ pomocφ zprßv, kterΘ mohou mφt nßsledujφcφ vlastnosti:

P°edm∞t zprßvy (jedna z nßsledujφcφch mo₧nostφ):
The A-Team VS KnightRider ... who would win ?
And I miss you most of all, my darling ...
The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
If I were God and didn't belive in myself would it be blasphemy
Just one kiss, will make it better. Just one kiss, and we will be alright.
I can't help this longing, comfort me.
It's dark in here, you can feel it all around. The underground.
.. and there's no need to be scared,you re always on my mind.
You just take a giant step, one step higher.
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm
Darling, when did you fall..when was it over?

T∞lo zprßvy (jedna z nßsledujφcφch mo₧nostφ):
Yeah ok, so it's not yours it's mine :)
You should like this, it could have been made for you
speak to you later
Pretty good either way though, isn't it?
Happy Birthday
still cause for a celebration though, check out the details I attached
This made me laugh
Got some more stuff to tell you later but I can't stop right now
so I'll email you later or give you a ring if that's ok ?!
Speak to you later

Soubor, p°ipojen² ke zprßv∞, mß zcela nßhodnΘ jmΘno a jednu z nßsledujφcφch p°φpon:
.BAT, .COM, .EXE, .PIF, .SCR

Po spuÜt∞nφ se worm zkopφruje do adresß°e Windows pod jmΘnem KAREN.EXE a vytvo°φ polo₧ku v Registry,  kterß zajistφ jeho spuÜt∞nφ p°i startu poΦφtaΦe:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Karen="C:\WINDOWS\karen.exe"

Pak se pokusφ poslat sebe sama na vÜechny adresy, nalezenΘ v adreß°φch programu Outlook.

Worm vytvo°φ navφc skript pro program mIRC se jmΘnem script.ini. Tak je schopen poslat sebe sama dalÜφm u₧ivatel∙m, kte°φ se p°ipojφ na stejn² kanßl IRC jako infikovan² u₧ivatel. Worm je tΘ₧ schopen m∞nit aliasy u₧ivatel∙ IRC, a to v zßvislosti na slovech pou₧it²ch p°i diskusi.

Pokud je na infikovanΘm poΦφtaΦi provozovßn MS IIS Web Server, worm se pokusφ o Üφ°enφ i na poΦφtaΦe u₧ivatel∙, kte°φ takov² web navÜtφvφ. Zkopφruje sebe sama do souboru C:\INETPUB\WWWROOT\WEB.EXE a vytvo°φ soubor DEFAULT.HTM ve stejnΘm adresß°i. Pokud u₧ivatel p°istoupφ na tuto strßnku, prohlφ₧eΦ jej vyzva, aby ulo₧il Φi spustil program web.exe.

Odstran∞nφ:

  • sma₧te vÜechny nalezenΘ infikovanΘ soubory
  • odstra≥te vÜechny polo₧ky z registry, kterΘ na tyto soubory ukazovaly
  • pokud na infikovanΘm poΦφtaΦi provozujete MS-IIS Web Server, odstra≥te takΘ soubory default.htm a web.exe

Zdroj: Alwil software - v²robce antiviru AVAST