Less than 12 days before Christmas, IT administrators and end-users are jittery of anything suspicious falling into their inboxes and corporate networks. With the bad memories of Badtrans.b and Goner still wafting in the air, the initial spread of the Gokar worm on Thursday sent users scrambling to their vendors for a fix.
Twenty-four hours later, however, Gokar has officially been declared a bust by Sophos. The worm had no destructive payload and did little more than clog a few scattered e-mail gateways.
"It's done more than fizzle," said David Hughes, president of Sophos Inc., the U.S. subsidiary of Sophos PLC in the United Kingdom. "We believe there's no real cause for alarm in this case. We've had few reports from our customers around the world. We've had more inquiries than actual reports."
Sophos is reporting few infections, Hughes said.
"I think people are on edge after Badtrans.b and Goner," Hughes said. "When folks hear about a new mass-mailing worm, they become alarmed."
Gokar wasn't the only worm on the loose Thursday. Malware called Zacker was also reported, but neither had a destructive payload, Hughes said.
"Both fell into the category of an inconvenience," Hughes said. "There is a certain amount of cleanup that has to be done and definitions that have to be updated."
Gokar, W32.Gokar.A@mm, is the latest worm to feed on Microsoft applications and software to propagate. It spreads via Outlook, like the majority of mass-mailing worms, and arrives as an attachment with any of the following extensions: PIF, SCR, COM, EXE or BAT. It also spreads via infected Web pages and mIRC chats and tries to delete anti-virus programs on infected machines.
The worm does not run automatically, like Nimda or Code Red. The user must double-click the attachment to start the program, which then drops itself as KAREN.EXE into the machine's Windows directory and resets the registry key so that the file runs every time Windows starts up, according to Sophos and F-Secure, two of the vendors reacting to Gokar.
It then sends itself out to everyone in the Outlook address book, generating an e-mail from the user with a number of random subject lines and messages.
If the infected machine is being used as a Web server using Microsoft's Internet Information Systems (IIS) server software, Gokar copies itself as Web.exe into the root IIS directory,
c:\inetpub\wwwroot. From there, it replaces the file default.htm with redesi.htm and creates its own default home page that asks a visitor to download Web.exe. The user must opt to "run this file from its current location" during the download for the worm to be activated.
If the infected machine has an mIRC chat client, the worm looks for the client's script.ini file and replaces it with its own script. The worm then spreads, as KAREN.EXE, to users joining an IRC chat channel where the infected user is aboard with the following message: "If this doesn't make you smile, nothing will." The worm changes the infected user's screen name to W32_Karen, W32Karen1, KarenWorm, KarenGobo, or join #teamvirus channel on certain messages.
Zacker, meanwhile, also arrived inside inboxes Thursday morning. W32.Zacker.A@mm also spread via Outlook, arriving with the subject line: "Your Friend (sender's address)? Good Luck." When the worm is opened, it copies itself to the Windows directory as LucKey.exe and to the Windows system directory as Dallah.exe. Then it forwards itself to everyone in the Outlook address book.
It also tries to copy itself to the machine's A drive as mallait.exe and tries to create many copies of itself on the infected hard drive with names like Sharoon(number).exe, Bush(number).exe and BinLaden(number).exe with the number being any from 1 to 9,999. The copies consume free space on the hard drive and slow the system.