Gokar worm targets antivirus

Shuts down realtime protection

Discovered on December 12, 2001, the Gokar worm spreads via email, IRC, and infected web servers. It also targets antivirus processes and attempts to shut them down. Gokar sends itself via email with random subject lines, random message bodies, and random attachment names, ending in BAT, COM, EXE, SCR, or PIF. When an infected attachment is opened, Gokar creates the file KAREN.EXE in the Windows folder and modifies the Registry to run the file when Windows is started. Gokar then access the Outlook Address Book, sending itself to addresses found therein.

The worm searches for IRC software on the system and if found, replaces the mIRC chat client's SCRIPT.INI file with its own. Thereafter, infected users will unwittingly send the infected file, KAREN.EXE, to anyone who joins an IRC channel they are present on. The file is sent with the message "If this doesn't make you smile, nothing will. "

If the infected computer is a web server running either PWS (Personal Web Server) or IIS (Microsoft Internet Information Server), the worm will copy itself as WEB.EXE to the C:\inetpub\wwwroot directory. It also renames the file DEFAULT.HTM (the default homepage of the website) to REDESI.HTM and creates a new DEFAULT.HTM which offers the infected WEB.EXE to site visitors.

The Gokar worm searches for and aborts the realtime components of certain anti-virus software.