Virus Database

I-Worm.Gokar

Description I-Worm.Gokar

This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via IRC channels and infects a IIS server. It also protects itself from anti-virus programs.
The worm itself is a Windows PE EXE file, 14336 bytes in length, and is written in Visual Basic 6. It is packed in a UPX program. After unpacking, it is 53 Kb size. It contains the following text strings:
W32.Karen by Gobo all happy birthday girl !!! shouts : W1z, Merl, NM, and whoever else. #teamvirus on Undernet ... say hello. bob is the king of bots :)

Infected messages contain the following:
Subject is one from the 15 variants:
If I were God and didn't belive in myself would it be blasphemy
The A-Team VS KnightRider ... who would win ?
Just one kiss, will make it better. just one kiss, and we will be alright.
I can't help this longing, comfort me. Li>And I miss you most of all, my darling ...
... When autumn leaves start to fall
It's dark in here, you can feel it all around. The underground.
I will always be with you sometimes black sometimes white ...
.. and there's no need to be scared, you re always on my mind.
You just take a giant step, one step higher.
The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm Darling, when did you fall..when was it over ?
Will you meet me .... and we'll fly away ?!
Attach file name is random. It has one from the following extensions:
.exe, .pif, .scr, .bat, .com
Sample names are as follows:
3tgf3tgf3tgf373774285313tgf.scr
ffdasfffdasfffdasf145361008658ffdasf.com
rewfdrewfdrewfd30741913208rewfd.scr
The message body is one the following 4 variants:
Hey

They say love is blind ... well, the attachment probably proves it. Pretty good either way though, isn't it ?
You should like this, it could have been made for you speak to you later
Happy Birthday Yeah ok, so it's not yours it's mine :) still cause for a celebration though, check out the details I attached
This made me laugh Got some more stuff to tell you later but I can't stop right now so I'll email you later or give you a ring if thats ok ?! Speak to you later
Installation
While installing, the worm copies itself to Windows system directory with the name KAREN.EXE and registers that file in system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Karen = karen.exe

Spreading via E-mail
To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.
Gokar1.bmp
Spreading via IRC channels
The worm overwrites the file C:MIRCSCRIPT.INI to the new script file.
This script sends an EXE file to each user joining the infected channel. It also sends the following message:
If this doesn't make you smile, nothing will.

It changes a user's nickname to the following:
karen, worm, virus, sex
The script ignores users that send the texts::
script, infected, dcc, script, infected
It joins the channel #teamvirus if it recives a text with char 'e'.
Infecting IIS server
The worm overwrites the file C:INETPUBWWWROOTDEFAULT.HTM with its code, and copies itself to the directory C:INETPUBWWWROOT with the name WEB.EXE. The new DEFAULT.HTM contains a link to the file WEB.EXE. It also has a text comment:
As a result, the local IIS server is infected by the worm.
Protecting from anti-viral programs
While installing in the computer system, the worm scans the running processes. It checks their names from the following list:
:
VSHWIN32.EXE
PW32.EXE
_avpm.exe
avpm.exe
ICLOAD95.EXE
ICMON.EXE
IOMon98.exe
VetTray.exe
Claw95.exe
f-stopw.exe
The worm terminates these processes in memory.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Ochoy

Description Macro.Word.Ochoy

This is an encrypted macro virus containing five macros in infected documents and ten macros in global macros area (NORMAL.DOT):
Documents NORMAL.DOT
Ard01, AutoOpen Ard01
Ard02 Ard02, FileSave, AutoClose
Ard03 Ard03, FileTemplates, ToolsMacro, ToolsCustomize
Ard04 Ard04, FileOpen

It infects the global macros area on opening an infected document (AutoOpen) and copies itself to documents that are saved or closed (FileSave, AutoClose). Before infecting the virus deletes all macros in target. The virus stores the counter of infections in document's variable "ard01". Depending on this counter the virus either prints to the status line the text "O C H O Y * P K T B N I", or displays the MessageBox:
BNI - PKT
(c) Ardi Sunardi - 1 9 9 7

Macro.Word.Ofxx

Description Macro.Word.Ofxx

This is an encrypted virus containing three macros that have different names in global area (NORMAL.DOT) and infected documents:
NORMAL.DOT Infected files
Macro1 Ofxx AutoOpen - infects the global area on opening
Macro2 AutoClose Cfxx - infects the files on closing
Macro3 AutoExec Show - corrupted in samples I have

In most samples macro "AutoExec" ("Show") is damaged, but virus code is able to replicate itself without problems ever with damaged macro. The damaged macro contains following text:
at yang kaya dengan uap air bali yang berada di direktori WINDOWS
dan WINWORD telah hilang, jangan kaget, ini bukan ulah Anda, tapi
ini hasil pekerjaan sayaallBarang siapa yang berhasil menemukan
cara menangkal virus ini, saya aka j¡n memberi listing virus ini
untuk Anda !!! Dan tentu saja saya akan terus datang kesini untuk
memberi Anda salam dengan virus-virus terbaru dari saya...selamat !
Bandung,
C:PESAN.TXT

This text is very similar to the text included in the "Macro.Word.Bandung" virus.

Home