McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Gaobot.AA (NAV)

• WORM_AGOBOT.R (Trend)

Characteristics

This worm is proactively detected as Exploit-DcomRpc virus with the 4283 DATs or greater (with scanning of compressed executables enabled).

Precise detection as W32/Gaobot.worm.z will be included in the 4291 DATs (release date 3rd September 2003).

This worm attempts to use several vulnerabilities to spread:

• MS03-001 (RPC Locator)
• MS03-026 (Dcom RPC)

Upon execution, the worm copies itself to %SysDir% as:

• SVCHOS1.EXE
• RPCFIX.EXE

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MS Config Loader" = SVCHOSl.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices "MS Config Loader" = SVCHOSl.EXE

As for the previous variant, this worm requires MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.

Symptoms

• Port 22227 open on victim machine
• Existence of the Registry keys and filenames detailed above
• Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).

Method of Infection

This worm propagates via poorly secured network shares, and is intended to take advantage of two high profile exploits:

• MS03-001 (RPC Locator)
• MS03-026 (Dcom RPC)

When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

• qwerty
• 012345
• xyz

(or combinations thereon.)

Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on a remote IRC server.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Gaobot.AA (NAV)

• WORM_AGOBOT.R (Trend)

Characteristics

Characteristics -

This worm is proactively detected as Exploit-DcomRpc virus with the 4283 DATs or greater (with scanning of compressed executables enabled).

Precise detection as W32/Gaobot.worm.z will be included in the 4291 DATs (release date 3rd September 2003).

This worm attempts to use several vulnerabilities to spread:

• MS03-001 (RPC Locator)
• MS03-026 (Dcom RPC)

Upon execution, the worm copies itself to %SysDir% as:

• SVCHOS1.EXE
• RPCFIX.EXE

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "MS Config Loader" = SVCHOSl.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices "MS Config Loader" = SVCHOSl.EXE

As for the previous variant, this worm requires MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.

Symptoms

Symptoms -

• Port 22227 open on victim machine
• Existence of the Registry keys and filenames detailed above
• Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).

Method of Infection

Method of Infection -

This worm propagates via poorly secured network shares, and is intended to take advantage of two high profile exploits:

• MS03-001 (RPC Locator)
• MS03-026 (Dcom RPC)

When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

• qwerty
• 012345
• xyz

(or combinations thereon.)

Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on a remote IRC server.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A