Content

W32/Gbot.worm

Type
Virus
SubType
Internet Worm
Discovery Date
04/22/2004
Length
varies
Minimum DAT
4354 (04/28/2004)
Updated DAT
4655 (12/21/2005)
Minimum Engine
5.1.00
Description Added
04/22/2004
Description Modified
04/26/2004 1:51 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is an internet worm that spreads both via network shares and by taking advantage of the Mydoom backdoor and installs a backdoor on the victim system.

When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory using a randomly created name and creates a registry run key to load the worm at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "random name" = [random file name].exe

It also creates copies of itself in

  • C:\My Documents\

Observed names include (depending on the variant):

  • 93,261 AIM_Account_Stealer_Crack.exe
  • 93,558 AIM_Account_Stealer_Full.exe
  • 93,470 AIM_Account_Stealer_Patch.exe
  • 93,400 Cat_Attacks_Child_Full.exe
  • 93,656 Cat_Attacks_Child_ISO_Full.exe
  • 93,187 Cat_Attacks_Child_Key_Generator.exe
  • 93,499 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Full.exe
  • 93,435 CKY3_Bam_Margera_World_Industries_Alien_Workshop_ISO_Full.exe
  • 93,407 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Key_Generator.exe
  • 93,664 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
  • 93,329 DSL_Modem_Uncapper_Crack.exe
  • 93,226 DSL_Modem_Uncapper_Full.exe
  • 93,246 DSL_Modem_Uncapper_ISO_Full.exe
  • 93,466 DSL_Modem_Uncapper_Key_Generator.exe
  • 93,509 Hacking_Tool_Collection_Crack.exe
  • 93,422 Hacking_Tool_Collection_Full.exe
  • 93,424 Hacking_Tool_Collection_ISO_Full.exe
  • 93,495 Hacking_Tool_Collection_Patch.exe
  • 93,452 Internet_and_Computer_Speed_Booster_Crack.exe
  • 93,410 Internet_and_Computer_Speed_Booster_ISO_Full.exe
  • 93,238 Internet_and_Computer_Speed_Booster_Key_Generator.exe
  • 93,287 Internet_and_Computer_Speed_Booster_Patch.exe
  • 93,285 Macromedia_Flash_5.0_Crack.exe
  • 93,194 Macromedia_Flash_5.0_Full.exe
  • 93,599 Macromedia_Flash_5.0_ISO_Full.exe
  • 93,184 Macromedia_Flash_5.0_Key_Generator.exe
  • 93,500 Macromedia_Flash_5.0_Patch.exe
  • 93,345 MSN_Password_Hacker_and_Stealer_Crack.exe
  • 93,599 MSN_Password_Hacker_and_Stealer_Full.exe
  • 93,248 MSN_Password_Hacker_and_Stealer_Patch.exe
  • 93,359 Windows_XP_Crack.exe
  • 93,354 Windows_XP_Full.exe
  • 93,506 Windows_XP_Key_Generator.exe
  • 93,573 ZoneAlarm_Firewall_Full.exe
  • 93,262 ZoneAlarm_Firewall_ISO_Full.exe
  • 93,606 ZoneAlarm_Firewall_Patch.exe

Or:

  • 46,592 AIM_Account_Stealer_Crack.exe
  • 47,011 AIM_Account_Stealer_Full.exe
  • 46,774 AIM_Account_Stealer_ISO_Full.exe
  • 46,979 AIM_Account_Stealer_Key_Generator.exe
  • 46,604 AIM_Account_Stealer_Patch.exe
  • 46,645 Cat_Attacks_Child_Crack.exe
  • 46,644 Cat_Attacks_Child_ISO_Full.exe
  • 46,989 Cat_Attacks_Child_Key_Generator.exe
  • 46,758 Cat_Attacks_Child_Patch.exe
  • 46,765 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Crack.exe
  • 46,760 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
  • 46,900 DSL_Modem_Uncapper_Crack.exe
  • 46,633 DSL_Modem_Uncapper_Full.exe
  • 47,013 DSL_Modem_Uncapper_ISO_Full.exe
  • 46,666 DSL_Modem_Uncapper_Patch.exe
  • 47,039 Hacking_Tool_Collection_Crack.exe
  • 47,030 Hacking_Tool_Collection_Key_Generator.exe
  • 47,077 Hacking_Tool_Collection_Patch.exe
  • 46,773 Internet_and_Computer_Speed_Booster_Crack.exe
  • 46,940 Internet_and_Computer_Speed_Booster_Full.exe
  • 46,661 Macromedia_Flash_5.0_ISO_Full.exe
  • 47,046 Macromedia_Flash_5.0_Key_Generator.exe
  • 47,063 MSN_Password_Hacker_and_Stealer_Full.exe
  • 47,074 MSN_Password_Hacker_and_Stealer_ISO_Full.exe
  • 46,938 MSN_Password_Hacker_and_Stealer_Key_Generator.exe
  • 46,951 Windows_XP_Crack.exe
  • 46,708 Windows_XP_Full.exe
  • 46,731 Windows_XP_ISO_Full.exe
  • 6,903 Windows_XP_Key_Generator.exe
  • 46,768 Windows_XP_Patch.exe
  • 47,036 ZoneAlarm_Firewall_Crack.exe
  • 46,779 ZoneAlarm_Firewall_Patch.exe

The BackDoor component listen on port tcp 113 for incoming connection and connects to an IRC channel at xxx.xxx.108.243 port 6659.

Network Propagation

The worm scans random IPs trying to access the netbios-ssn and microsoft-ds services. Once a system is found, the worm tries to connect to the 'C$' share on that machine.

Athought it could not directly observed it is belived the worm creates a number of files on the victim sysmtem named !ReadMe.exe in the root af all availabe local and network drivers and in

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

This worm can also infect systems already infected by the BackDoor MyDoom.

Symptoms

Unusual outbound network traffic, presence of the above mentioned key in the registry, presence of the above mentioned files.

Method of Infection

This worm spreads via network shares and via the MyDoom BackDoor.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is an internet worm that spreads both via network shares and by taking advantage of the Mydoom backdoor and installs a backdoor on the victim system.

When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory using a randomly created name and creates a registry run key to load the worm at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "random name" = [random file name].exe

It also creates copies of itself in

  • C:\My Documents\

Observed names include (depending on the variant):

  • 93,261 AIM_Account_Stealer_Crack.exe
  • 93,558 AIM_Account_Stealer_Full.exe
  • 93,470 AIM_Account_Stealer_Patch.exe
  • 93,400 Cat_Attacks_Child_Full.exe
  • 93,656 Cat_Attacks_Child_ISO_Full.exe
  • 93,187 Cat_Attacks_Child_Key_Generator.exe
  • 93,499 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Full.exe
  • 93,435 CKY3_Bam_Margera_World_Industries_Alien_Workshop_ISO_Full.exe
  • 93,407 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Key_Generator.exe
  • 93,664 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
  • 93,329 DSL_Modem_Uncapper_Crack.exe
  • 93,226 DSL_Modem_Uncapper_Full.exe
  • 93,246 DSL_Modem_Uncapper_ISO_Full.exe
  • 93,466 DSL_Modem_Uncapper_Key_Generator.exe
  • 93,509 Hacking_Tool_Collection_Crack.exe
  • 93,422 Hacking_Tool_Collection_Full.exe
  • 93,424 Hacking_Tool_Collection_ISO_Full.exe
  • 93,495 Hacking_Tool_Collection_Patch.exe
  • 93,452 Internet_and_Computer_Speed_Booster_Crack.exe
  • 93,410 Internet_and_Computer_Speed_Booster_ISO_Full.exe
  • 93,238 Internet_and_Computer_Speed_Booster_Key_Generator.exe
  • 93,287 Internet_and_Computer_Speed_Booster_Patch.exe
  • 93,285 Macromedia_Flash_5.0_Crack.exe
  • 93,194 Macromedia_Flash_5.0_Full.exe
  • 93,599 Macromedia_Flash_5.0_ISO_Full.exe
  • 93,184 Macromedia_Flash_5.0_Key_Generator.exe
  • 93,500 Macromedia_Flash_5.0_Patch.exe
  • 93,345 MSN_Password_Hacker_and_Stealer_Crack.exe
  • 93,599 MSN_Password_Hacker_and_Stealer_Full.exe
  • 93,248 MSN_Password_Hacker_and_Stealer_Patch.exe
  • 93,359 Windows_XP_Crack.exe
  • 93,354 Windows_XP_Full.exe
  • 93,506 Windows_XP_Key_Generator.exe
  • 93,573 ZoneAlarm_Firewall_Full.exe
  • 93,262 ZoneAlarm_Firewall_ISO_Full.exe
  • 93,606 ZoneAlarm_Firewall_Patch.exe

Or:

  • 46,592 AIM_Account_Stealer_Crack.exe
  • 47,011 AIM_Account_Stealer_Full.exe
  • 46,774 AIM_Account_Stealer_ISO_Full.exe
  • 46,979 AIM_Account_Stealer_Key_Generator.exe
  • 46,604 AIM_Account_Stealer_Patch.exe
  • 46,645 Cat_Attacks_Child_Crack.exe
  • 46,644 Cat_Attacks_Child_ISO_Full.exe
  • 46,989 Cat_Attacks_Child_Key_Generator.exe
  • 46,758 Cat_Attacks_Child_Patch.exe
  • 46,765 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Crack.exe
  • 46,760 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
  • 46,900 DSL_Modem_Uncapper_Crack.exe
  • 46,633 DSL_Modem_Uncapper_Full.exe
  • 47,013 DSL_Modem_Uncapper_ISO_Full.exe
  • 46,666 DSL_Modem_Uncapper_Patch.exe
  • 47,039 Hacking_Tool_Collection_Crack.exe
  • 47,030 Hacking_Tool_Collection_Key_Generator.exe
  • 47,077 Hacking_Tool_Collection_Patch.exe
  • 46,773 Internet_and_Computer_Speed_Booster_Crack.exe
  • 46,940 Internet_and_Computer_Speed_Booster_Full.exe
  • 46,661 Macromedia_Flash_5.0_ISO_Full.exe
  • 47,046 Macromedia_Flash_5.0_Key_Generator.exe
  • 47,063 MSN_Password_Hacker_and_Stealer_Full.exe
  • 47,074 MSN_Password_Hacker_and_Stealer_ISO_Full.exe
  • 46,938 MSN_Password_Hacker_and_Stealer_Key_Generator.exe
  • 46,951 Windows_XP_Crack.exe
  • 46,708 Windows_XP_Full.exe
  • 46,731 Windows_XP_ISO_Full.exe
  • 6,903 Windows_XP_Key_Generator.exe
  • 46,768 Windows_XP_Patch.exe
  • 47,036 ZoneAlarm_Firewall_Crack.exe
  • 46,779 ZoneAlarm_Firewall_Patch.exe

The BackDoor component listen on port tcp 113 for incoming connection and connects to an IRC channel at xxx.xxx.108.243 port 6659.

Network Propagation

The worm scans random IPs trying to access the netbios-ssn and microsoft-ds services. Once a system is found, the worm tries to connect to the 'C$' share on that machine.

Athought it could not directly observed it is belived the worm creates a number of files on the victim sysmtem named !ReadMe.exe in the root af all availabe local and network drivers and in

  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

This worm can also infect systems already infected by the BackDoor MyDoom.

Symptoms

Symptoms -

Unusual outbound network traffic, presence of the above mentioned key in the registry, presence of the above mentioned files.

Method of Infection

Method of Infection -

This worm spreads via network shares and via the MyDoom BackDoor.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A