The Gokar worm--full name: "W32.Gokar.A@mm"--spreads as an attachment to an e-mail. The subject line and text of the message can be any combination of more than two dozen options, according to antivirus software maker Symantec. The attachment is named with a seemingly random collection of letters and numbers ending in one of the following extensions: .pif, .scr, .exe, .com or .bat.
The worm does no damage to an infected PC, but Symantec rated the Gokar threat as moderate because of its multi-pronged ability to replicate itself and its arrival at several major corporations.
"We had some big corporate customers who had gotten it, but it does not seem to have spread wildly," said Steve Trilling, director of researcher for Symantec Security Response. "If it gets inside a large organization, it can create enough e-mail traffic to really slow down their network...But at this point, I would say there's no evidence it's going to take off in a big way."
The worm sends itself to all addresses in the infected PC's Microsoft Outlook address book and also creates a script file that attempts to spread the worm via mIRC, a popular program for using the IRC chat service. In rare circumstances, Gokar can also modify Web pages on infected servers running Microsoft's Internet Information Server software to direct Web surfers to an infected site.
British antivirus screening service MessageLabs, which reported that the worm originated in Australia, said it had intercepted a little more than 100 copies of the worm in the 24 hours since it was first detected, putting it well below threats such as the Goner worm and perennial contender SirCam.
As with similar outbreaks, security experts advise PC users to update their antivirus software and not open unsolicited e-mail attachments.