Content

W32/Gaobot.worm.aa

Type
Virus
SubType
Internet Worm
Discovery Date
09/05/2003
Length
200,704 bytes (UPXed)
Minimum DAT
4292 (09/10/2003)
Updated DAT
4326 (02/18/2004)
Minimum Engine
5.1.00
Description Added
09/08/2003
Description Modified
09/08/2003 5:04 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Similarly to previous variants (W32/Gaobot.worm.z for example), t his worm attempts to use several vulnerabilities to spread:

Upon execution, the worm copies itself to %SysDir% as:

  • SCVHOST.EXE

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Config Loader" = SCVHOST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "Config Loader" =  SCVHOST.EXE

As for the previous variant, this worm requires MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.

Symptoms

  • Port 5599 open on victim machine
  • Existence of the Registry keys and filenames detailed above
  • Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).
  • Unexpected network traffic to following remote IRC server (port 9900):

    bunghole.mysqld.com

    • Method of Infection

      This worm propagates via poorly secured network shares, and is intended to take advantage of two high profile exploits:

    When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

    • qwerty
    • 012345
    • xyz

    (or combinations thereon.)

    Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on the following remote IRC server (port 9900):

    bunghole.mysqld.com  

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

    • W32/Gaobot.worm.ab

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    Similarly to previous variants (W32/Gaobot.worm.z for example), t his worm attempts to use several vulnerabilities to spread:

    Upon execution, the worm copies itself to %SysDir% as:

    • SCVHOST.EXE

    (Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

    The following Registry keys are added to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Config Loader" = SCVHOST.EXE

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices "Config Loader" =  SCVHOST.EXE

    As for the previous variant, this worm requires MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.

    Symptoms

    Symptoms -

  • Port 5599 open on victim machine
  • Existence of the Registry keys and filenames detailed above
  • Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).
  • Unexpected network traffic to following remote IRC server (port 9900):

    bunghole.mysqld.com

    • Method of Infection

    Method of Infection -

      This worm propagates via poorly secured network shares, and is intended to take advantage of two high profile exploits:

    When it attempts to spread through open shares, it tries some password-protected shares using its own list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

    • qwerty
    • 012345
    • xyz

    (or combinations thereon.)

    Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on the following remote IRC server (port 9900):

    bunghole.mysqld.com  

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

    • W32/Gaobot.worm.ab