Content

W32/Gaobot.worm.gen

Type
Virus
SubType
Worm
Discovery Date
10/15/2002
Length
Varies
Minimum DAT
4238 (12/18/2002)
Updated DAT
5558 (03/19/2009)
Minimum Engine
5.1.00
Description Added
10/28/2003
Description Modified
05/16/2004 11:39 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update May 25, 2004 --

This family is rapidly growing and at the time of this update had 1350 variants. Many of them were proactively detected. The following is an example of one that requires an update for detection to occur:

 Filename  Filesize  Minimum DAT
 SVHOST.EXE  302,151  4363

-- Update May 6, 2004 --

To date, there are more than 900 variants of this Gaobot worm in the wild. The recent variants exploit a MS04-011 vulnerability and is stealthy by nature. The first variant of this LSASS-exploiting Gaobot virus was detected as W32/Gaobot.worm.ali, where a more detailed description is written.

-- Update March 31, 2004 --

This family is rapidly growing and at the time of this update had 542 variants. Most of them were proactively detected. The list of a few recent worms:

 Filename  Filesize  Minimum DAT
 NAVPAW.EXE  312,346  4346
 NVSVC.EXE         91,160     4346

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

-- Update January 7, 2004 --

This family is rapidly growing and at the time of this update had 171 variants. Most of them are detected proactively since 4266 DATs (dated May 2003). The list of recent worms:

 Filename  Filesize  Minimum DAT
 WINHLPP32.EXE  197,632  4323
 WINREG.EXE         197,120     4266
 SYSTEM.EXE         199,680     4266
 MSMSGR.EXE        228,572     4266
 WINCRT32.EXE     58,880        4266
 TASKMNGR.EXE  213,504      4266
 SW32.EXE                     68,608  4266
 WINHL32.EXE       56,320        4283
 LSAS.EXE                     66,463  4313
 SYSINFO.EXE      255,488  4313
 SYSLDR32.EXE  245,760       4266
 SYSCHK.EXE        237,568       4266
 WNCRT32.EXE    199,680       4266
 CSVHOST.EXE  207,775      4266
 DOSRUN32.EXE  536,576      4266
 WSYS32.EXE  65,024  4266
 MSDEF.EXE  59,904         4266
 WINDOWZ.EXE  220,672       4266
 REGCLEAN.EXE  226,304       4297
 SYSMGR.EXE  110,592       4266
 CSRRS.EXE  270,973       4266
 CSRRS.EXE  274,432       4266
 SCVHOST.EXE   197,120       4266
 NTDM.EXE  197,120       4266
 LTTIME.EXE   205,824       4298
 WUMP.EXE   205,824         4298
 NTTDM.EXE  215,552       4266
 NTDOM.EXE  214,528       4266
 CSRRS.EXE            58,880         4266
 ...    

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs.

 -- Update October 28th 2003 --

Proactive Detection:
 AVERT has received a few different variants of this worm in the past 24 hours. All of these variants are detected generically as either W32/Gaobot.worm.gen or W32/Gaobot.worm.gen.b

  • The W32/Gaobot.worm.gen detection was enhanced in the 4266 DATs (requires the scanning of compressed files to be enabled).
  • The W32/Gaobot.worm.gen.b detection has been provided since the 4298 DATs.

Variants are typically PE-packed, and may be of varying size and filename. For example, brief details of a few of the most recent variants are as follows:

  • SCVHOST.EXE (197,120 bytes - UPX packed)
  • CSRRS.EXE (71,680 bytes - UPX packed)
  • WINCRT32.EXE (69,632 bytes - UPX packed)
  • SVCH0ST.EXE (228,572 bytes - Petite packed)
  • DOSRUN32.EXE (209,408 bytes - UPX packed)
  • IEXPLORERE.EXE (204,288 bytes - UPX packed)
  • MSRUN.EXE (207,872 bytes - UPX packed)
  • SCVHOSL.EXE (54,784 bytes - UPX packed)
  • WINCRT6.EXE (228,352 bytes - UPX packed)

Please see below for a more general description of this (rapidly growing) family of worms.

This is a generic detection for worms in the W32/Gaobot.worm family. Though first introduced in the 4238 DATs, generic detection was enhanced in the 4266 DATs.

There are many variants of this worm - for maximum protection users are recommended to:

  • use the latest engine/DATs combination
  • ensure the scanning of compressed files is enabled

Recent variants in this family are intended to take advantage of high profile exploits. For example:

Specific descriptions of specific variants are listed below:

Symptoms

Exact symptoms will vary between variants, but typically those such as the following are included:

  •  Additional traffic on TCP ports 135 and 445
  • Creation of remote Scheduled Tasks on infected systems (via NetScheduleJob API call)
  •  Unexpected network traffic to a remote IRC server
  •  Unexpected traffic to an FTP server to download/update a bot.
  • When going to Add/Remove programs, the list is empty, no icons/description of the installed programs appear and its "close" button doesn't work.

Method of Infection

The exact method of propagation will vary between variants. However, the following characteristics are typical:

Share Propagation

The worm propagates via accessible or poorly secured network shares, and some variants are intended to take advantage of two high profile exploits:

When it attempts to spread through default administrative shares, for example:

  • PRINT$
  • E$
  • D$
  • C$
  • ADMIN$
  • IPC$

Some variants carry a list of poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

  • 000000
  • 00000000
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • a
  • aaa
  • abc
  • abcd
  • Admin
  • admin
  • Administrador
  • Administrateur
  • administrator
  • Administrator
  • asdf
  • owner
  • Owner
  • pass
  • passwd
  • Password
  • password
  • pw
  • pwd
  • qwer
  • root
  • secret
  • server
  • temp
  • test
  • Test
  • xyz
  • yxcv
  • zxcv

IRC Connection

Some variants of this family attempt to connect to a remote IRC server and join a specified IRC channel. Once connected, the worm acts as a bot, awaiting remote commands from the hacker. Exact functionality will vary between variants, but typically, such commands include the ability to download and execute other remote files.

Process Termination

Some variants in this family attempt to terminate the processes of several anti-virus and security products.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.HLLW.Gaobot.AF (NAV)
  • W32.HLLW.Gaobot.AO (NAV)
  • W32.HLLW.Gaobot.AP (NAV)
  • W32.HLLW.Gaobot.BF (NAV)
  • W32.HLLW.Gaobot.FB (NAV)
  • W32/Agobot-AF (Sophos)
  • Win32.Phatbot

Characteristics

Characteristics -

-- Update May 25, 2004 --

This family is rapidly growing and at the time of this update had 1350 variants. Many of them were proactively detected. The following is an example of one that requires an update for detection to occur:

 Filename  Filesize  Minimum DAT
 SVHOST.EXE  302,151  4363

-- Update May 6, 2004 --

To date, there are more than 900 variants of this Gaobot worm in the wild. The recent variants exploit a MS04-011 vulnerability and is stealthy by nature. The first variant of this LSASS-exploiting Gaobot virus was detected as W32/Gaobot.worm.ali, where a more detailed description is written.

-- Update March 31, 2004 --

This family is rapidly growing and at the time of this update had 542 variants. Most of them were proactively detected. The list of a few recent worms:

 Filename  Filesize  Minimum DAT
 NAVPAW.EXE  312,346  4346
 NVSVC.EXE         91,160     4346

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

-- Update January 7, 2004 --

This family is rapidly growing and at the time of this update had 171 variants. Most of them are detected proactively since 4266 DATs (dated May 2003). The list of recent worms:

 Filename  Filesize  Minimum DAT
 WINHLPP32.EXE  197,632  4323
 WINREG.EXE         197,120     4266
 SYSTEM.EXE         199,680     4266
 MSMSGR.EXE        228,572     4266
 WINCRT32.EXE     58,880        4266
 TASKMNGR.EXE  213,504      4266
 SW32.EXE                     68,608  4266
 WINHL32.EXE       56,320        4283
 LSAS.EXE                     66,463  4313
 SYSINFO.EXE      255,488  4313
 SYSLDR32.EXE  245,760       4266
 SYSCHK.EXE        237,568       4266
 WNCRT32.EXE    199,680       4266
 CSVHOST.EXE  207,775      4266
 DOSRUN32.EXE  536,576      4266
 WSYS32.EXE  65,024  4266
 MSDEF.EXE  59,904         4266
 WINDOWZ.EXE  220,672       4266
 REGCLEAN.EXE  226,304       4297
 SYSMGR.EXE  110,592       4266
 CSRRS.EXE  270,973       4266
 CSRRS.EXE  274,432       4266
 SCVHOST.EXE   197,120       4266
 NTDM.EXE  197,120       4266
 LTTIME.EXE   205,824       4298
 WUMP.EXE   205,824         4298
 NTTDM.EXE  215,552       4266
 NTDOM.EXE  214,528       4266
 CSRRS.EXE            58,880         4266
 ...    

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs.

 -- Update October 28th 2003 --

Proactive Detection:
 AVERT has received a few different variants of this worm in the past 24 hours. All of these variants are detected generically as either W32/Gaobot.worm.gen or W32/Gaobot.worm.gen.b

  • The W32/Gaobot.worm.gen detection was enhanced in the 4266 DATs (requires the scanning of compressed files to be enabled).
  • The W32/Gaobot.worm.gen.b detection has been provided since the 4298 DATs.

Variants are typically PE-packed, and may be of varying size and filename. For example, brief details of a few of the most recent variants are as follows:

  • SCVHOST.EXE (197,120 bytes - UPX packed)
  • CSRRS.EXE (71,680 bytes - UPX packed)
  • WINCRT32.EXE (69,632 bytes - UPX packed)
  • SVCH0ST.EXE (228,572 bytes - Petite packed)
  • DOSRUN32.EXE (209,408 bytes - UPX packed)
  • IEXPLORERE.EXE (204,288 bytes - UPX packed)
  • MSRUN.EXE (207,872 bytes - UPX packed)
  • SCVHOSL.EXE (54,784 bytes - UPX packed)
  • WINCRT6.EXE (228,352 bytes - UPX packed)

Please see below for a more general description of this (rapidly growing) family of worms.

This is a generic detection for worms in the W32/Gaobot.worm family. Though first introduced in the 4238 DATs, generic detection was enhanced in the 4266 DATs.

There are many variants of this worm - for maximum protection users are recommended to:

  • use the latest engine/DATs combination
  • ensure the scanning of compressed files is enabled

Recent variants in this family are intended to take advantage of high profile exploits. For example:

Specific descriptions of specific variants are listed below:

Symptoms

Symptoms -

Exact symptoms will vary between variants, but typically those such as the following are included:

  •  Additional traffic on TCP ports 135 and 445
  • Creation of remote Scheduled Tasks on infected systems (via NetScheduleJob API call)
  •  Unexpected network traffic to a remote IRC server
  •  Unexpected traffic to an FTP server to download/update a bot.
  • When going to Add/Remove programs, the list is empty, no icons/description of the installed programs appear and its "close" button doesn't work.

Method of Infection

Method of Infection -

The exact method of propagation will vary between variants. However, the following characteristics are typical:

Share Propagation

The worm propagates via accessible or poorly secured network shares, and some variants are intended to take advantage of two high profile exploits:

When it attempts to spread through default administrative shares, for example:

  • PRINT$
  • E$
  • D$
  • C$
  • ADMIN$
  • IPC$

Some variants carry a list of poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

  • 000000
  • 00000000
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • a
  • aaa
  • abc
  • abcd
  • Admin
  • admin
  • Administrador
  • Administrateur
  • administrator
  • Administrator
  • asdf
  • owner
  • Owner
  • pass
  • passwd
  • Password
  • password
  • pw
  • pwd
  • qwer
  • root
  • secret
  • server
  • temp
  • test
  • Test
  • xyz
  • yxcv
  • zxcv

IRC Connection

Some variants of this family attempt to connect to a remote IRC server and join a specified IRC channel. Once connected, the worm acts as a bot, awaiting remote commands from the hacker. Exact functionality will vary between variants, but typically, such commands include the ability to download and execute other remote files.

Process Termination

Some variants in this family attempt to terminate the processes of several anti-virus and security products.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A