Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • MessageLabs ThreatList

Antivirus software updated on or after December 13, 2001 should be able to detect and remove Gokar from the system. To manually detect the presence of the worm, search the drive for the presence of KAREN.EXE. Because the worm has hidden attributes, you should first ensure the operating system is configured to show hidden files and folders. For example, in Windows 2000, open Windows Explorer, click on Tools | Folder Options | View and select "Show hidden files and folders".

Manual Removal
Remove the value "Karen" with the path "C:\Windows\karen.exe" from the following Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If unfamiliar with editing the Registry, download and run the free tool F-Secure has created for making the necessary changes:

ftp://ftp.europe.f-secure.com/anti-virus/tools/gokardis.reg

After making the necessary registry edits (or downloading and running the aforementioned tool), restart your system and then either scan the system with updated antivirus software and allow it to delete any infected files found, or search for KAREN.EXE in C:\Windows and delete the file. For infected web servers, also search for WEB.EXE in C:\inetpub\wwwroot and delete the file, then rename REDESI.HTM to DEFAULT.HTM. IRC users should also replace the modified SCRIPT.INI in the mIRC directory with a valid one.