Gokar
Gokar
Type Multiple vector worm
Creator Simon Vallor
Date Discovered 12-DEC-2001
Place of Origin Llandudno, North Wales, UK
Source Language Visual Basic
Platform MS Windows
File Type(s) .exe
Infection Length 14,336 bytes
Reported Costs

Gokar also known as Karen is a worm that gained notoriety in the early 2000s. The creator was ultimately tracked down and imprisoned for writing the worm. It can arrive on a system through multiple vectors, including email, IRC, and an infected website.

Behavior

Gokar can arrive through email, IRC, or an infected website. When arriving through an email, the subject, body, and file name chosen from pre-determined strings in the worm's body with one of the following extensions: PIF, SCR, COM, EXE or BAT. When coming through an infected website, it always has the filename "web.exe". On IRC, the name will be KAREN.EXE.

When arriving on an email, subjects include:

GokarIcon.png
Gokar's Icon
  • If I were God and didn't belive in myself would it be blasphemy
  • The A-Team VS KnightRider … who would win ?
  • Just one kiss, will make it better. just one kiss, and we will be alright.
  • I can't help this longing, comfort me.
  • And I miss you most of all, my darling …
  • … When autumn leaves start to fall
  • It's dark in here, you can feel it all around. The underground.
  • I will always be with you sometimes black sometimes white …
  • .. and there's no need to be scared, you re always on my mind.
  • You just take a giant step, one step higher.
  • The air will hold you if you try, trust my wings of desire. Glory, Glorified…….

Message bodies include:

gokar1.jpg
A sample Gokar email
  • Happy Birthday
  • Yeah ok, so it's not yours it's mine :)
  • The horizons lean forward, offering us space to place new steps of change.
  • I like this calm, moments before the storm
  • Darling, when did you fall..when was it over ?
  • Will you meet me …. and we'll fly away ?!
  • You should like this, it could have been made for you
  • speak to you later
  • They say love is blind … well, the attachment probably proves it.
  • Pretty good either way though, isn't it ?
  • still cause for a celebration though, check out the details I attached
  • This made me laugh
  • Got some more stuff to tell you later but I can't stop right now
  • so I'll email you later or give you a ring if thats ok ?!
  • Speak to you later

The file name will be constructed from a random number and one or more of the following strings contained in the worm:

  • tgfdfg
  • jhfxvc
  • cgfd2
gokarweb.gif
An infected website
  • trevc
  • t6tr
  • ffdasf
  • glkfh
  • fhjdv
  • qesac
  • kujzv
  • weafs
  • twat
  • rewfd
  • gfdsf
  • hgbv
  • fdsc
  • p0olik
  • 3tgf
  • rf43dr
  • t54refd
  • ut545a
  • r4354gkjw
  • vgrewu
  • xw54re
  • y343rv
  • z3vdf

When the worm is executed, it copies itself as KAREN.EXE to the Windows directory and adds the value "Karen" = "\karen.exe" to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, ensuring it will be run at startup. The worm checks for and terminates processes associated with antivirus programs.

Gokar checks if the system is running a Microsoft IIS webserver, and if so, copies itself as WEB.EXE to the IIS root folder. It then renames the page DEFAULT.HTM to REDESI.HTM (named for another worm and replaces it with its own, containing the text "We Are Forever.". Any visitor to the site will be asked to download WEB.EXE, the worm file.

The worm replaces the SCRIPT.INI belonging to the mIRC chat client with its own. This one sends the file KAREN.EXE to anyone on the same channel as the infected system. It looks for specific text messages in the channel and might change the username to 'W32_Karen', 'W32Karen1', 'KarenWorm', 'KarenGobo' and can join the #teamvirus channel on certain messages.

The worm opens the Windows Address Book and sends a copy of itself to all the email addresses it can find there. It takes the registered user's name for the sender line and constructs an email subject and body from strings contained in the worm.

Origin

Simon Vallor of Llandudno, North Wales in the UK created the worm in his early 20s. He was captured, charged under the 1990 Computer Misuse Act, and sentenced to two years in prison, a sentence he appealed but lost. There was speculation his sentence could be reduced because of his general good character and cooperation with authorities and he ended up serving eight months. In addition to Gokar, he was also responsible for Redesi and Admirer.

Effects

In early 2002, Gokar was the third most common malware on the Internet. In the court case against the creator, the prosecution submitted evidence that the three viruses from the creator, including Gokar, had spread to 27,000 computers in 42 countries. On another date, the prosecution claimed 330,000 in 46 countries. This may also include totals from Redesi and Admirer. Vallor had argued that compared to other viruses like Loveletter and Nimda, their impact was quite small and that the release was an accident.

Sources

F-Secure, Gokar.

Dave Adamczyk Symantec Security Response, W32.Gokar.A@mm. 13-FEB-2007

John Leyden. The Register, Welsh virus writer Vallor jailed for two years. 21-JAN-2003

-. -, Welsh virus writer loses appeal. 23-JUL-2003

David Powell. Daily Post (through the Free Library), Brains behind computer virus says he dreads going to prison. 27-JUL-2002

GrĂ¡inne Kirwan and Andrew Power. Cambridge University Press, Cybercrime: The Psychology of Online Offenders.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License