The worm is written in Visual Basic and has been compressed by
the UPX file compressor.
The worm infects a computer when a user opens an infected
attachment. The worm copies itself as KAREN.EXE into Windows
folder and modifies Registry to be always run with Windows. The
worm's file has hidden attribute. Then the worm creates the
"Karen" = "<windir>\karen.exe"
Where <windir> is Windows directory name.
After that the worm opens Outlook Address book and sends itself
to all e-mail addresses it can find there. The infected messages
can have different subjects and bodies:
Subject can be one of the following:
If I were God and didn't belive in myself would it be blasphemy
The A-Team VS KnightRider ... who would win
Just one kiss, will make it better. just one kiss, and we will be alright.
I can't help this longing, comfort me.
And I miss you most of all, my darling ...
... When autumn leaves start to fall
It's dark in here, you can feel it all around. The underground.
I will always be with you sometimes black sometimes white ...
.. and there's no need to be scared, you re always on my mind.
You just take a giant step, one step higher.
The air will hold you if you try, trust my wings of desire. Glory, Glorified.......
The horizons lean forward, offering us space to place new steps of change.
I like this calm, moments before the storm
Darling, when did you fall..when was it over ?
Will you meet me .... and we'll fly away ?!
Message bodies can contain one of the following:
You should like this, it could have been made for you
speak to you later
They say love is blind ... well, the attachment probably proves it.
Pretty good either way though, isn't it ?
Yeah ok, so it's not yours it's mine :)
still cause for a celebration though, check out the details I attached
This made me laugh
Got some more stuff to tell you later but I can't stop right now
so I'll email you later or give you a ring if thats ok ?!
Speak to you later
After the body the worm puts Windows registered user name (the
name of a person Windows is registered to).
The attachment name is randomly composed from a few parts that
are hardcoded in the worm's body. The attachment can have .PIF,
.SCR, .EXE, .BAT and .COM extension. Example:
Here's an example of an infected message:
The worm also spreads via IRC. It replaces mIRC chat client's
SCRIPT.INI file with its own one. This script allows the worm to
send itself as KAREN.EXE to all people joining an IRC channel
where an infected user is present. The worm sends itself with the
If this doesn't make you smile, nothing will.
The worm looks for specific text messages in IRC channel and can
change user's nickname to 'W32_Karen', 'W32Karen1', 'KarenWorm',
'KarenGobo' or join #teamvirus channel on certain messages.
The worm can also spread from a webpage. It checks if the
infected machine has Microsoft IIS web server installed. It it is
found the worm copies itself as WEB.EXE to root IIS folder,
renames DEFAULT.HTM to REDESI.HTM (note: Redesi is the name of
another virus) and creates its own DEFAULT.HTM page. If a visitor
of a website opens this page, he will be asked to download
WEB.EXE file. If a user accepts to 'Run this file from current
location', the worm will be downloaded and activated on his
The worm looks for and terminates processes belonging to
anti-virus and security software. The following processes are
Gokar is detected by F-Secure Anti-Virus update shipped on 13th
To remove Gokar worm from your system please do the following:
1. Download and run the following REG file:
2. Restart your system and scan your hard drive with F-Secure
Anti-Virus (default settings). When FSAV detects Gokar infection
in KAREN.EXE located in Windows directory, select 'Delete'
3. If Gokar worm infected a webserver, delete WEB.EXE file from
C:\inetpub\wwwroot\ folder and rename REDESI.HTM (the original
startup page renamed by the worm) back to DEFAULT.HTM. To do this
open DOS session and type at command prompt (mind spaces):
ren redesi.htm default.htm
Press 'Enter' after each line.
[Analysis by F-Secure Anti-Virus Research Team; December 13th, 2001]