W32/Gokar-A

Please read the instructions for removing worms.

You should make a note of where script.ini was, and either recover it from backups, or uninstall and then reinstall mIRC.

You should also replace default.htm in C:\inetpub\wwwroot from your own backups.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to delete the following registry key. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Karen = C:\<windows directory>\karen.exe

and delete it if it exists.

Close the registry editor and reboot your computer.

W32/Gokar-A spreads via the internet by sending itself as an email attachment to addresses in the Outlook address book. The worm arrives in an email with the following characteristics:

The subject line and body text of the email are chosen randomly from a selection including:

Subject:

"If I were God and didn't belive in myself would it be blasphemy"
"The A-Team VS KnightRider ... who would win ?"
"Just one kiss, will make it better. just one kiss, and we will be alright."
"I can't help this longing, comfort me."
"And I miss you most of all, my darling ..."
"... When autumn leaves start to fall"
"It's dark in here, you can feel it all around. The underground."
"I will always be with you sometimes black sometimes white ..."
"Darling, when did you fall..when it over ?"

Body:

"Happy Birthday
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached"

"Hey
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?"

"You should like this, it could have been made for you speak to you later"

The attachment filename will also be random characters with a BAT, COM, EXE, SCR or PIF extension.

W32/Gokar-A also tries to spread via mIRC by overwriting the script.ini file of the mIRC client so that it will send the worm to other mIRC users.

If the infected computer is being used as a web server via Personal Web Server or IIS (Microsoft Internet Information Server), then the worm drops a copy of itself as web.exe in the C:\inetpub\wwwroot directory. It also replaces the file default.htm (which will be the home page of the website if the default installation was used) in the C:\inetpub\wwwroot directory. The copy of default.htm created by the worm will download the worm (web.exe) to the computer of users visiting the website.

The worm drops itself into the Windows directory as karen.exe and sets the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Karen = C:\<windows directory>\karen.exe

so that this file will run on Windows startup.