Content
W32/Gaobot.worm.y
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 08/21/2003
- Length
- 53,248 bytes
- Minimum DAT
- 4283 (08/06/2003)
- Updated DAT
- 4326 (02/18/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 08/21/2003
- Description Modified
- 08/26/2003 2:21 AM (PT)
Tab Navigation
Characteristics
This worm was proactively detected with 4283+ DATs as Exploit-DcomRpc virus.
This worm attempts to use several vulnerabilities to spread:
The worm then copies itself to the WINDOWS SYSTEM directory and references itself in the registry so that it will be loaded again at startup:
"Config Loader" = svchosl.exe
"Config Loader" = svchosl.exe
The worm needs MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.
Symptoms
- Presence of svchosl.exe and winhl32.exe files in Windows system folder (typically - WinNT\System32).
- Port 22226 open and a firewall may alert about traffic going on this port (backdoor/bot related).
- Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).
Method of Infection
It may try to act as an IRC Bot and spread through network shares.
When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords (like "Guest", "Administrator", "Test", "User", "owner", "pcowner", "passwd", "111111", "1234qwer", "123abc", "god", "sex", "root", "secret", "foobar", "121212", "mypass", "mypc", "godblessyou", "ihavenopass", "oracle", "123asd" and others).
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- WORM_AGOBOT.P (Trend)
Characteristics
Characteristics -
This worm was proactively detected with 4283+ DATs as Exploit-DcomRpc virus.
This worm attempts to use several vulnerabilities to spread:
The worm then copies itself to the WINDOWS SYSTEM directory and references itself in the registry so that it will be loaded again at startup:
"Config Loader" = svchosl.exe
"Config Loader" = svchosl.exe
The worm needs MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.
Symptoms
Symptoms -
- Presence of svchosl.exe and winhl32.exe files in Windows system folder (typically - WinNT\System32).
- Port 22226 open and a firewall may alert about traffic going on this port (backdoor/bot related).
- Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).
Method of Infection
Method of Infection -
It may try to act as an IRC Bot and spread through network shares.
When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords (like "Guest", "Administrator", "Test", "User", "owner", "pcowner", "passwd", "111111", "1234qwer", "123abc", "god", "sex", "root", "secret", "foobar", "121212", "mypass", "mypc", "godblessyou", "ihavenopass", "oracle", "123asd" and others).
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
