Not all Internet worms contain misspellings and sex references. In fact, Goker (w32.goker.a@mm) is even a little poetic. Unfortunately, this worm will attempt to contact everyone in your Microsoft Outlook address book, potentially tying up e-mail servers with excess traffic.
Goker also contains an mIRC script that allows the worm to spread from infected users to other IRC users who share the same channel. In rare cases, Goker can spread via a Web page, asking users who happen upon an infected Web page to download a file called Web.exe. At this time, Goker is not known to damage data files, but it will disable antivirus software running at the time of infection. Goker currently ranks a 4 on the ZDNet Virus Meter.
How it works
Goker arrives as e-mail with one of the following subject lines:
If I were God and didn't belive in myself would it be blasphemy The A-Team VS KnightRider...who would win? Just one kiss, will make it better. just one kiss, and we will be alright. I can't help this longing, comfort me. And I miss you most of all, my darling... ...When autumn leaves start to fall It's dark in here, you can feel it all around. The underground. I will always be with you sometimes black sometimes white ... ...and there's no need to be scared, you re always on my mind. You just take a giant step, one step higher. The air will hold you if you try, trust my wings of desire. Glory, Glorified...The body of the e-mail contains one or more of the following:
Happy Birthday Yeah ok, so it's not yours it's mine :) The horizons lean forward, offering us space to place new steps of change. I like this calm, moments before the storm Darling, when did you fall...when was it over? Will you meet me...and we'll fly away?! You should like this, it could have been made for you speak to you laterThey say love is blind...well, the attachment probably proves it. Pretty good either way though, isn't it? still cause for a celebration though, check out the details I attached This made me laugh Got some more stuff to tell you later but I can't stop right now so I'll email you later or give you a ring if thats ok?! Speak to you laterThe attached filename consists of a random number combined with some of these strings:
tgfdfg jhfxvc cgfd2 trevc t6tr ffdasf glkfh fhjdv qesac kujzv weafs twat rewfd gfdsf hgbv fdsc p0olik 3tgf rf43dr t54refd ut545a r4354gkjw vgrewu xw54re y343rv z3vdf Lastly, the filename has one of these extensions: .pif, .scr, .exe, .com, or .bat. If the attached file is opened, the worm adds the infected user's name to the end of the message and sends copies of the mail to all addresses in the Microsoft Outlook address book. Goker also contains a script called script.ini. If an infected user joins an IRC channel, Goker sends the infected file karen.exe to new users joining that channel. The worm looks for specific words used on the channel and will change a user's nickname to variations on Karen, such as KarenWorm or KarenGobo, or change the user's channel to #teamvirus.
If the infected computer is also a Web server running Microsoft IIS, Goker can infect the Default.htm page so that outsiders who visit the site will be asked to download a file called Web.exe. The infected Web page contains the text "We Are Forever."
On infected computers, Goker looks for and disables several popular antivirus products, including Symantec, F-Secure, Kaspersky, Sophos, and Trend Micro.
Removal
Almost all the antivirus software companies have updated their signature files to include this worm.
