W32/Gaobot.worm.ak

Content

W32/Gaobot.worm.ak

Type: Virus
SubType: Internet Worm
Discovery Date: 10/09/2003
Length: 204800
Minimum DAT: 4298 (10/15/2003)
Updated DAT: 4326 (02/18/2004)
Minimum Engine: 5.1.00
Description Added: 10/10/2003
Description Modified: 10/16/2003 3:16 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

Similarly to previous variants ( W32/Gaobot.worm.aa for example), this worm attempts to use several vulnerabilities to spread:

MS03-001 (RPC Locator)
MS03-026 (Dcom RPC)

Upon execution, the worm copies itself to %SysDir% as:

LSAS.EXE (204800 bytes)

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Windows Explorer" = LSAS.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "Windows Explorer" = LSAS.exe

Symptoms

Existence of the Registry keys and Filenames detailed above
Additional traffic on TCP ports 135 (MS03-026 related) , 445 (MS03-001 related) and 6667.
The worm references the NetScheduleJob API call and may create remote Scheduled Tasks on infected systems.
Unexpected network traffic to a remote IRC server
Unexpected traffic to an FTP server to download/update a bot.
When going to Add/Remove programs, the list is empty, no icons/description of the installed programs appear and its "close" button doesn't work.
Font changes
Problems printing
Copy & paste functionality might not work properly any more.

The worm attempts to terminate the following processes:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

Method of Infection

This worm propagates via accessible or poorly secured network shares, and is intended to take advantage of two high profile exploits:

MS03-001 (RPC Locator)
MS03-026 (Dcom RPC)

When it attempts to spread through default administrative shares:

print$
e$
d$
c$
admin$
ipc$

The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
2600
54321
654321
88888888
a
aaa
abc
abcd
Admin
admin
Administrador
Administrateur
administrator
Administrator
alpha
asdf
computer
database
Default
Dell
enable
foobar
Gast
god
godblessyou
Guest
home
ihavenopass
Internet
Inviter
Login
love
mgmt
mypass
mypc
oracle
owner
Owner
pass
passwd
Password
password
pat
patrick
pc
pw
pwd
qwer
root
secret
server
sex
Standard
super
sybase
temp
test
Test
User
win
x
xp
xxx
xyz
yxcv
zxcv

Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on an IRC server: Once connected, the bot can receive commands to perform various tasks, such as:

Exit the bot
Retrieve system information
Retrieve the bot's status
Open a file
Download (via FTP or HTTP) and execute a file
Perform a Denial of Service attack

The worm also tries to steal game software CD keys:

Chrome
Soldier of Fortune II - Double Helix
Neverwinter
Nox
Tiberian Sun
Red Alert 2
Red Alert
Project IGI 2
Command & Conquer Generals
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Battlefield 1942
Nascar 2003
Nascar 2002
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Need For Speed Hot Pursuit 2
The Gladiators
UT2003
LoMaM
Counter-Strike
Half-Life CDKey

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Backdoor.Agobot.3.h (Kaspersky)

W32.HLLW.Gaobot.AO (Symantec)

WORM_AGOBOT.H (Trend)

Characteristics

Characteristics -