Automated PC Solutions
VACM - Virus Alerts for the Common Man

get it now:   #1 AntiSpyware    #1 AntiVirus    #1 Personal Firewall      
   
      VACM Home      VACM Links      APCS Home     
            bookmark this page: Bookmark this page on Delicious...

Gokar email worm disables antivirus, and more...

  Your old boxes are worth CASH $$...   Click to learn more... 
 

Electronics
Bargains

 


VACM Home
  VACM How-To Movie:   Learn how to Remove Spyware from your PC for free (really!).   Click to Watch the video.  


Greetings from The VACM Team,
In this issue:
------------------------------------
- Gokar email worm disables antivirus, sends itself to your
      address book, and causes various other problems...


***************************************************
* The Bottom Line
***************************************************
This worm spreads as an email with an attachment and via infected
web sites.

The Gokar worm was discovered on December 12, 2001.  It spreads
via email, IRC, and infected web servers. It attempts to shut
down antivirus software and emails itself to your address
book.  

The email arrives with random subject lines, random message
bodies, and random attachment names, ending in BAT, COM,
EXE, SCR, or PIF.  If you have already done the VACM HowTo
article "Disable Hiding of File Extensions", you would be
able to see that the attachment ends in one of these,
otherwise you would not.

Click here for the "Disable Hiding of File Extensions" article.


***************************************************
* What Gokar Does To Your System...
***************************************************
If you run the attachment, Gokar creates the file KAREN.EXE
in the Windows folder and modifies the Registry to run itself
when you boot your system.   As mentioned, it shuts down your
antivirus software.  It then emails itslef to everyone in
your address book.

If you use IRC (internet chat) software, Gokar replaces your
chat client's SCRIPT.INI file with its own such that it will
send the infected file, KAREN.EXE, to anyone who joins an
IRC channel you are on.  The file is sent with the message
"If this doesn't make you smile, nothing will."

If your computer is running either Personal Web Server (which is
installed with Windows whether you knew it or not) or IIS
(Microsoft Internet Information Server), the worm will modify
your home page such that visitors to your web server will be
infected.


***************************************************
* What Does The Email Look Like?
***************************************************
The Subject is typically one of the following:

  If I were God and didn't belive in myself would it be
     blasphemy
  The A-Team VS KnightRider ... who would win
  Just one kiss, will make it better. just one kiss, and
     we will be alright.
  I can't help this longing, comfort me.
  And I miss you most of all, my darling... When autumn
     leaves start to fall
  It's dark in here, you can feel it all around. The underground.
  I will always be with you sometimes black sometimes white...
     ...and there's no need to be scared, you re always on my mind.
  You just take a giant step, one step higher.
  The air will hold you if you try, trust my wings of desire.
  Glory, Glorified.......
  The horizons lean forward, offering us space to place new
     steps of change.
  I like this calm, moments before the storm
  Darling, when did you fall..when was it over ?
  Will you meet me .... and we'll fly away ?!

The body of the email message contains one of these:

  You should like this, it could have been made for you
     speak to you later

  Hey
     They say love is blind ... well, the attachment probably
     proves it.  Pretty good either way though, isn't it ?

  Happy Birthday
     Yeah ok, so it's not yours it's mine :)
     still cause for a celebration though, check out the
     details I attached

  This made me laugh
     Got some more stuff to tell you later but I can't
     stop right now so I'll email you later or give you
     a ring if thats ok ?! Speak to you later

  The worm also adds the registered name of the user to the
  email message.

The Attachment :

  The email attachment is named with a random series of
  numbers and letters and always has an extension of BAT, COM,
  EXE, SCR, or PIF.


***************************************************
* What You Should Do...
***************************************************
Get the latest updates for you antivirus software for
December 13, 2001 or later.  It should be able to detect
and remove Gokar from the system.  Do a complete system scan
to detect and remove Gokar.

If you ran the virus, you may have to remove Gokar manually.

Manaully Detecting and Removing Gokar:
-----------------------------------------------
To manually detect the presence of Gokar, search your
hard drive for the file "KAREN.EXE".  Because the worm has
hidden attributes, first make sure that your system
is set to show hidden files and folders.   By default, Windows
is not set this way.  To change the setting, open Windows
Explorer, and on the menu click
View (or Tools for Win2K) | Folder Options
In the window that comes up, click on the "View" tab
and select "Show hidden files and folders".

If you find the file KAREN.EXE, delete it.

Download the Gokar registry removal tool and double-click it.
The file is at:

  Gokar Registry fix tool

After making the necessary changes, reboot your system and
then scan the system with updated antivirus software and allow
it to delete any infected files found, or search for KAREN.EXE
in C:\Windows and delete the file. For infected web servers,
search for WEB.EXE in C:\inetpub\wwwroot and delete the file,
then rename REDESI.HTM to DEFAULT.HTM. IRC users should also
replace the modified SCRIPT.INI in the mIRC directory with a
valid one.




Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions

 

 

*** Be sure to check out the appendix at the end of this alert
if you are having trouble booting your computer into "Safe Mode".
The process is all spelled out for you there.

 

Why should you be very
concerned about Spyware?		 Learn how to avoid Identity Theft and Windows corruption in this
free VACM Video:
     VACM-tested #1 AntiSpyware Software

How did they steal my Identity?

Why do I get so much SPAM ?

Why is your computer
running so slow ?

Today, every PC needs just a few protection softwares. Find out what and why. Visit our Links Page to avoid Indentiry Theft and costly computer repairs.
   VACM Links to Protection Tools and Softwares
Keep your PC Safe and
Avoid a costly trip to the shop...
with these VACM approved tools.

You need 3 things to protect your PC(s) automatically. Use these links to go directly to the Download and Purchase pages:

     

 

 

Old Shotgun Shell Boxes
are collector's items and
worth good money!
 (yes... just the empty boxes)

get your
  ShotShell BlueBook
price guide
now.
 

 

To cancel your subscription to VACM, reply to this email with the word UNSUBSCRIBE in the subject.

If you click on the link below, the "unsubscribe" email will be created for you and you can simply hit "Send" in you email program:

Create My Unsubscribe Email

IMPORTANT: please include the email address at which you are currently receiving VACM Alerts in the body of the message.

 

 

******** APPENDIX - Handy How-To Tips **********


  * How To Boot into Safe Mode

Shut the computer down so that the power is off.

Turn the computer on, wait 1 second and begin pressing the F8 key
on the keyboard, once every second repeatedly. Do this until
the Windows Startup Menu appears. If you get a keyboard
error, press F1 to resume and then continue pressing the
F8 key once every second, or your PC may tell you to press another key for BIOS setup.

Select Safe Mode from the Windows Startup Menu, then press
the Enter key on the keyboard.

Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.

At the end of the boot process a dialog box will appear
informing you that Windows is in Safe Mode. Click OK on this dialog box.

Windows is now in Safe Mode.

If you miss hitting the F8 at the right time, Windows will boot
normally and you will not see the "Safe Mode" message.  In this
case, start from the top of these instructions until you get the
boot menu screen where you can choose "Safe Mode".  This can be
a little tricky the first time you do it.

 

 

 

 

Locations of visitors to this page