Content
W32/Gaobot.worm.ali
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 04/28/2004
- Length
- 138,752 bytes
- Minimum DAT
- 4358 (05/05/2004)
- Updated DAT
- 4706 (02/27/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 04/28/2004
- Description Modified
- 05/05/2004 8:39 PM (PT)
Tab Navigation
Characteristics
--Update 6th May, 2004--
There have been more variants of W32/Gaobot.worm exploiting this MS04-011 vulnerability reported recently. The worm is stealthy by nature and may not be visible in the process or service lists. It drops a HOSTS file detected as Qhosts.apd
. The generic detection for these variants have been added as W32/Gaobot.worm.gen.h
.
--
At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week.
W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)). This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.
For maximum protection against the Gaobot family, users are recommended to:
- use the latest engine/DATs combination
- ensure the scanning of compressed files is enabled
- keep Windows systems patched by using Windows Update
- ensure weak username/passwords are not used
- run a personal desktop firewall application
The virus contains lots of remote access functionality, including:
- Create/Remove services
- Denial of service attack
- FTP/HTTP functions (upload, download files, etc)
- IRC functions
- Retrieve system information (RAM, CPU, Disk Space)
- Secure/insecure Windows shares
- Shutdown/reboot/logoff computer
- Sniffer
- Steal CD and product keys for various products
- Terminate running processes
Symptoms
When run, this virus copies itself to the %SysDir% directory as msiwin84.exe and creates several registry run keys in order to load itself at system startup.
(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Microsoft Update" = msiwin84.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "Microsoft Update" = msiwin84.exe
The virus attempts to run a speed test for Internet connectivity. The following domains are contacted to check for broadband connections:
- de.yahoo.com
- nitro.ucsc.edu
- verio.fr
- www.1und1.de
- www.above.net
- www.belwue.de
- www.burst.net
- www.cogentco.com
- www.d1asia.com
- www.level3.com
- www.lib.nthu.edu.tw
- www.nifty.com
- www.nocster.com
- www.rit.edu
- www.ryan1918.com
- www.ryan1918.net
- www.ryan1918.org
- www.schlund.net
- www.st.lib.keio.ac.jp
- www.stanford.edu
- www.switch.ch
- www.utwente.nl
- www.verio.com
- www.xo.net
- yahoo.co.jp
The virus attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:
- malalala.bin-laden.cc
This threat is reliant upon connecting to this IRC server, and receiving spread commands in order to propagate. At the time of this writing, the DNS entry for this domain has been set to 0.0.0.0, therefore crippling this threat.
Infected systems list on two random TCP ports, which are control ports for attackers to exploit.
The local HOSTS file (%SysDir%\drivers\etc\hosts) is overwriten to block access to the following sites (note this file is detected with current DAT files as Qhosts.apd ):
- avp.com
- ca.com
- customer.symantec.com
- dispatch.mcafee.com
- download.mcafee.com
- f-secure.com
- kaspersky.com
- kaspersky-labs.com
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- mast.mcafee.com
- mcafee.com
- my-etrust.com
- nai.com
- networkassociates.com
- rads.mcafee.com
- secure.nai.com
- securityresponse.symantec.com
- sophos.com
- symantec.com
- trendmicro.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- viruslist.com
- viruslist.com
- www.avp.com
- www.ca.com
- www.f-secure.com
- www.grisoft.com
- www.kaspersky.com
- www.mcafee.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.com
It also attempts to terminate the following processes:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- 53ARCH.EXE
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APORTS.EXE
- APVXDWIN.EXE
- ARMKILLER
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AV.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWIN95.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BCW.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- Claw95.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CLIENT.EXE
- CMD32.EXE
- CMESYS.EXE
- CMGRDIAN.EXE
- CMON016.EXE
- CONDOM.EXE
- CONNECTIONMONITOR.EXE
- CPD.EXE
- CPF9X206.EXE
- CPFNT206.EXE
- CRACKER.EXE
- CTRL.EXE
- CV.EXE
- CWNB181.EXE
- CWNTDWMO.EXE
- DATEMANAGER.EXE
- DCOMX.EXE
- DEBUG.EXE
- DEFALERT.EXE
- DEFSCANGUI.EXE
- DEFWATCH.EXE
- DEPUTY.EXE
- DIVX.EXE
- DLLCACHE.EXE
- DLLREG.EXE
- DOORS.EXE
- DPF.EXE
- DPFSETUP.EXE
- DPPS2.EXE
- DRWATSON.EXE
- DRWEB32.EXE
- DRWEBUPW.EXE
- DSSAGENT.EXE
- DUMP.EXE
- DVP95.EXE
- DVP95_0.EXE
- ECENGINE.EXE
- EFPEADM.EXE
- EMSW.EXE
- ENT.EXE
- ESAFE.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- ESCANV95.EXE
- ESPWATCH.EXE
- ETHEREAL.EXE
- ETRUSTCIPE.EXE
- EVPN.EXE
- EXANTIVIRUS-CNET.EXE
- EXE.AVXW.EXE
- EXPERT.EXE
- EXPLORE.EXE
- F-AGNT95.EXE
- F-AGOBOT.EXE
- FAMEH32.EXE
- FAST.EXE
- FCH32.EXE
- FIH32.EXE
- FINDVIRU.EXE
- FIREWALL.EXE
- FLOWPROTECTOR.EXE
- FNRB32.EXE
- FPORT.EXE
- FPROT.EXE
- F-PROT.EXE
- F-PROT95.EXE
- FP-WIN.EXE
- FP-WIN_TRIAL.EXE
- FRHED.EXE
- FRW.EXE
- FSAA.EXE
- FSAV.EXE
- FSAV32.EXE
- FSAV530STBYB.EXE
- FSAV530WTBYB.EXE
- FSAV95.EXE
- FSGK32.EXE
- FSM32.EXE
- FSMA32.EXE
- FSMB32.EXE
- F-STOPW.EXE
- FW.EXE
- GATOR.EXE
- GBMENU.EXE
- GBPOLL.EXE
- GENERICS.EXE
- GMT.EXE
- GUARD.EXE
- GUARDDOG.EXE
- HACKTRACERSETUP.EXE
- HBINST.EXE
- HBSRV.EXE
- HIJACKTHIS.EXE
- HONEYD.EXE
- HOTACTIO.EXE
- HOTPATCH.EXE
- HTLOG.EXE
- HTPATCH.EXE
- HWPE.EXE
- HXDL.EXE
- HXIUL.EXE
- IAMAPP.EXE
- IAMSERV.EXE
- IAMSTATS.EXE
- IBMASN.EXE
- IBMAVSP.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPP95.EXE
- ICSUPPNT.EXE
- IDLE.EXE
- IEDLL.EXE
- IEDRIVER.EXE
- IEXPLORER.EXE
- IFACE.EXE
- IFW2000.EXE
- IISLOCKD.exe
- INETLNFO.EXE
- INFUS.EXE
- INFWIN.EXE
- INIT.EXE
- INTDEL.EXE
- INTREN.EXE
- IOMON98.EXE
- IPARMOR.EXE
- IRIS.EXE
- ISASS.EXE
- ISRV95.EXE
- ISTSVC.EXE
- JAMMER.EXE
- JDBGMRG.EXE
- JEDI.EXE
- KAVLITE40ENG.EXE
- KAVPERS40ENG.EXE
- KAVPF.EXE
- KAZZA.EXE
- KD.EXE
- KEENVALUE.EXE
- KERIO-PF-213-EN-WIN.EXE
- KERIO-WRL-421-EN-WIN.EXE
- KERIO-WRP-421-EN-WIN.EXE
- KERNEL32.EXE
- KILLPROCESSSETUP161.EXE
- LAUNCHER.EXE
- LDNETMON.EXE
- LDPRO.EXE
- LDPROMENU.EXE
- LDSCAN.EXE
- LNETINFO.EXE
- LOADER.EXE
- LOCALNET.EXE
- LOCKDOWN.EXE
- LOCKDOWN2000.EXE
- LOGGER.EXE
- LOGVIEWER.EXE
- LOOKOUT.EXE
- LORDPE.EXE
- LSETUP.EXE
- LUALL.EXE
- LUAU.EXE
- LUCOMSERVER.EXE
- LUINIT.EXE
- LUSPT.EXE
- MAPISVC32.EXE
- MCAGENT.EXE
- MCMNHDLR.EXE
- MCSHIELD.EXE
- MCTOOL.EXE
- MCUPDATE.EXE
- MCVSRTE.EXE
- MCVSSHLD.EXE
- MD.EXE
- MFIN32.EXE
- MFW2EN.EXE
- MFWENG3.02D30.EXE
- MGAVRTCL.EXE
- MGAVRTE.EXE
- MGHTML.EXE
- MGUI.EXE
- MINILOG.EXE
- MMOD.EXE
- MONITOR.EXE
- MOOLIVE.EXE
- MOSTAT.EXE
- MPFAGENT.EXE
- MPFSERVICE.EXE
- MPFTRAY.EXE
- MRFLUX.EXE
- MSAPP.EXE
- MSBB.EXE
- MSBLAST.EXE
- MSCACHE.EXE
- MSCCN32.EXE
- MSCMAN.EXE
- MSCONFIG.EXE
- MSDM.EXE
- MSDOS.EXE
- MSIEXEC16.EXE
- MSINFO32.EXE
- MSLAUGH.EXE
- MSMGT.EXE
- MSMSGRI32.EXE
- MSSMMC32.EXE
- MSSYS.EXE
- MSVXD.EXE
- MU0311AD.EXE
- MWATCH.EXE
- N32SCANW.EXE
- NAV.EXE
- NAVAP.NAVAPSVC.EXE
- NAVAPSVC.EXE
- NAVAPW32.EXE
- NAVDX.EXE
- NAVENGNAVEX15.NAVLU32.EXE
- NAVLU32.EXE
- NAVNT.EXE
- NAVSTUB.EXE
- NAVW32.EXE
- NAVWNT.EXE
- NC2000.EXE
- NCINST4.EXE
- NDD32.EXE
- NEOMONITOR.EXE
- NEOWATCHLOG.EXE
- NETARMOR.EXE
- NETD32.EXE
- NETINFO.EXE
- NETMON.EXE
- NETSCANPRO.EXE
- NETSPYHUNTER-1.2.EXE
- NETSTAT.EXE
- NETUTILS.EXE
- NETWORKACTIVSNIFFERV1.4.EXE
- NISSERV.EXE
- NISUM.EXE
- NMAIN.EXE
- NOD32.EXE
- NOD32CC.EXE
- NOD32M2.EXE
- NORMIST.EXE
- NORTON_INTERNET_SECU_3.0_407.EXE
- NOTSTART.EXE
- NPF40_TW_98_NT_ME_2K.EXE
- NPFMESSENGER.EXE
- NPROTECT.EXE
- NPSCHECK.EXE
- NPSSVC.EXE
- NSCHED32.EXE
- NSSYS32.EXE
- NSTASK32.EXE
- NSUPDATE.EXE
- NT.EXE
- NTRTSCAN.EXE
- NTVDM.EXE
- NTXconfig.EXE
- NUI.EXE
- NUPGRADE.EXE
- NVARCH16.EXE
- NVC95.EXE
- NVSVC32.EXE
- NWINST4.EXE
- NWSERVICE.EXE
- NWTOOL16.EXE
- OLLYDBG.EXE
- ONSRVR.EXE
- OPTIMIZE.EXE
- OSTRONET.EXE
- OTFIX.EXE
- OUTPOST.EXE
- OUTPOSTINSTALL.EXE
- OUTPOSTPROINSTALL.EXE
- PADMIN.EXE
- PANIXK.EXE
- PATCH.EXE
- PAVCL.EXE
- PAVPROXY.EXE
- PAVSCHED.EXE
- PAVW.EXE
- PCC2002S902.EXE
- PCC2K_76_1436.EXE
- PCCIOMON.EXE
- PCCNTMON.EXE
- PCCWIN97.EXE
- PCCWIN98.EXE
- PCDSETUP.EXE
- PCFWALLICON.EXE
- PCIP10117_0.EXE
- PCSCAN.EXE
- PDSETUP.EXE
- PEDASM.EXE
- PENIS.EXE
- PERISCOPE.EXE
- PERSFW.EXE
- PERSWF.EXE
- PF2.EXE
- PFWADMIN.EXE
- PGMONITR.EXE
- PINGSCAN.EXE
- PLATIN.EXE
- PMDUMP.EXE
- PMON
- POP3TRAP.EXE
- POPROXY.EXE
- POPSCAN.EXE
- PORTDETECTIVE.EXE
- PORTMONITOR.EXE
- POWERSCAN.EXE
- PPINUPDT.EXE
- PPTBC.EXE
- PPVSTOP.EXE
- PRIZESURFER.EXE
- PRMT.EXE
- PRMVR.EXE
- PROCDUMP.EXE
- PROCESSMONITOR.EXE
- PROCEXPLORERV1.0.EXE
- PROGRAMAUDITOR.EXE
- PROPORT.EXE
- PROTECTX.EXE
- PSPF.EXE
- PURGE.EXE
- PUSSY.EXE
- PVIEW95.EXE
- QCONSOLE.EXE
- QSERVER.EXE
- RAPAPP.EXE
- RAV7.EXE
- RAV7WIN.EXE
- RAV8WIN32ENG.EXE
- RAY.EXE
- RB32.EXE
- RCSYNC.EXE
- REALMON.EXE
- REGCLEANER.EXE
- REGED.EXE
- REGEDIT.EXE
- REGEDT32.EXE
- RERGCLEANR.EXE
- RESCUE.EXE
- RESCUE32.EXE
- RRGUARD.EXE
- RSHELL.EXE
- RTVSCAN.EXE
- RTVSCN95.EXE
- RULAUNCH.EXE
- RUN32DLL.EXE
- RUNDLL.EXE
- RUNDLL16.EXE
- RUXDLL32.EXE
- SAFEWEB.EXE
- SAHAGENT.EXE
- SAVE.EXE
- SAVENOW.EXE
- SBSERV.EXE
- SC.EXE
- SCAM32.EXE
- SCAN32.EXE
- SCAN95.EXE
- SCANPM.EXE
- SCRSCAN.EXE
- SCRSVR.EXE
- SCVHOST.EXE
- SD.EXE
- SERV95.EXE
- SERVICE.EXE
- SERVLCE.EXE
- SERVLCES.EXE
- SETUP_FLOWPROTECTOR_US.EXE
- SETUPVAMEEVAL.EXE
- SFC.EXE
- SGSSFW32.EXE
- SH.EXE
- SHELLSPYINSTALL.EXE
- SHN.EXE
- SHOWBEHIND.EXE
- SMC.EXE
- SMS.EXE
- SMSS32.EXE
- SOAP.EXE
- SOFI.EXE
- SPERM.EXE
- SPF.EXE
- SPHINX.EXE
- SPOLER.EXE
- SPOOLCV.EXE
- SPOOLSV32.EXE
- SPYXX.EXE
- SREXE.EXE
- SRIN.EXE
- SRNG.EXE
- SS3EDIT.EXE
- SSG_4104.EXE
- SSGRATE.EXE
- ST2.EXE
- START.EXE
- STCLOADER.EXE
- SUPFTRL.EXE
- SUPPORT.EXE
- SUPPORTER5.EXE
- SVC.EXE
- SVCHOSTC.EXE
- SVCHOSTS.EXE
- SVSHOST.EXE
- SWEEP95.EXE
- SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
- SYMPROXYSVC.EXE
- SYMTRAY.EXE
- SYSEDIT.EXE
- SYSTEM.EXE
- SYSTEM32.EXE
- SYSUPD.EXE
- TASKMG.EXE
- TASKMO.EXE
- TASKMON.EXE
- TAUMON.EXE
- TBSCAN.EXE
- TC.EXE
- TCA.EXE
- TCM.EXE
- TCPVIEW.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- TDS-3.EXE
- TEEKIDS.EXE
- TEST.EXE
- TFAK.EXE
- TFAK5.EXE
- TGBOB.EXE
- TITANIN.EXE
- TITANINXP.EXE
- TRACERT.EXE
- TRICKLER.EXE
- TRJSCAN.EXE
- TRJSETUP.EXE
- TROJANTRAP3.EXE
- TSADBOT.EXE
- TVMD.EXE
- TVTMD.EXE
- UNDOBOOT.EXE
- UPDAT.EXE
- UPDATE.EXE
- UPGRAD.EXE
- UTPOST.EXE
- VBCMSERV.EXE
- VBCONS.EXE
- VBUST.EXE
- VBWIN9X.EXE
- VBWINNTW.EXE
- VCSETUP.EXE
- VET32.EXE
- VET95.EXE
- VETTRAY.EXE
- VFSETUP.EXE
- VIR-HELP.EXE
- VIRUSMDPERSONALFIREWALL.EXE
- VNLAN300.EXE
- VNPC3000.EXE
- VPC32.EXE
- VPC42.EXE
- VPFW30S.EXE
- VPTRAY.EXE
- VSCAN40.EXE
- VSCENU6.02D30.EXE
- VSCHED.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSISETUP.EXE
- VSMAIN.EXE
- VSMON.EXE
- VSSTAT.EXE
- VSWIN9XE.EXE
- VSWINNTSE.EXE
- VSWINPERSE.EXE
- W32DSM89.EXE
- W9X.EXE
- WATCHDOG.EXE
- WEBDAV.EXE
- WEBSCANX.EXE
- WEBTRAP.EXE
- WFINDV32.EXE
- WGFE95.EXE
- WHOSWATCHINGME.EXE
- WIMMUN32.EXE
- WIN32.EXE
- WIN32US.EXE
- WINACTIVE.EXE
- WIN-BUGSFIX.EXE
- WINDBG.EXE
- WINDOW.EXE
- WINDOWS.EXE
- WINDUMP.EXE
- WININETD.EXE
- WININIT.EXE
- WININITX.EXE
- WINLOGIN.EXE
- WINMAIN.EXE
- WINNET.EXE
- WINPPR32.EXE
- WINRECON.EXE
- WINSERVN.EXE
- WINSSK32.EXE
- WINSTART.EXE
- WINSTART001.EXE
- WINTSK32.EXE
- WINUPDATE.EXE
- WKUFIND.EXE
- WNAD.EXE
- WNT.EXE
- WRADMIN.EXE
- WRCTRL.EXE
- WSBGATE.EXE
- WUPDATER.EXE
- WUPDT.EXE
- WYVERNWORKSFIREWALL.EXE
- XPF202EN.EXE
- ZAPRO.EXE
- ZAPSETUP3001.EXE
- ZATUTOR.EXE
- ZONALM2601.EXE
- ZONEALARM.EXE
Method of Infection
This worm propagates via accessible or poorly secured network shares, and is intended to take advantage of high profile exploits.
When it attempts to spread through administrative shares:
- c
- c$
- d$
- e$
- admin$
- print$
The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:
- !@#$%^&*
- !@#$%^&
- !@#$%^
- !@#$%
- !@#$
- 000000
- 00000000
- 007
- 110
- 111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 1776
- 1778
- 2002
- 2004
- 23
- 2525
- 2600
- 42
- 54321
- 654321
- 666
- 69
- 88888888
- aaa
- abc
- abc123
- abcd
- ACCESS
- Admin
- admin
- admin123
- administrador
- Administrador
- Administrateur
- ADMINISTRATOR
- administrator
- Administrator
- admins
- alpha
- ami
- amie
- anonymous
- asdf
- asdfgh
- asdfghjkl
- askaban
- ASP
- athlon
- azerty
- azkaban
- baby
- backdoor
- BACKUP
- backup
- ball
- beer
- benutzer
- Benutzer
- biere
- bill
- black
- blowjob
- blue
- bong
- Box
- BOX
- box
- buckbeak
- calcolatore
- carte
- cauldron
- cederom
- changeme
- child
- clit
- CNN
- colin
- computadora
- computer
- condom
- Convidado
- Coordinatore
- copin
- copine
- crash
- cum
- data
- database
- Default
- Dell
- dementor
- devil
- dick
- dope
- drop
- drugs
- dude
- dumbledore
- ecran
- enable
- erik
- fanny
- feds
- fish
- foobar
- fool
- freak
- f**k
- f**ked
- f**kyou
- f**k-you
- gast
- Gast
- gay
- george
- god
- godblessyou
- gryffindor
- Guest
- hagrid
- harry
- hax
- hermine
- hermione
- hogwarts
- hole
- home
- homework
- idiot
- ihavenopass
- imprimeur
- Internet
- Inviter
- iraq
- jackdaniels
- jim
- kanri
- kanri-sha
- karl
- kate
- kids
- kt
- lab
- leet
- linux
- LOCAL
- Login
- lol
- love
- madre
- mark
- mary
- master
- merde
- metal
- mgmt
- mice
- mike
- mince
- moonshine
- mouse
- mybaby
- mybox
- mygirl
- myhole
- mypass
- mypc
- mysql
- newfie
- newfy
- nigger
- noob
- null
- OEM
- office
- oil
- opteron
- oracle
- ordinateur
- Ospite
- own
- owned
- OWNER
- owner
- Owner
- pass
- PASSWD
- passwd
- Password
- password
- password123
- pat
- patrick
- pc
- penis
- peter
- PHP
- pink
- poiut
- poiuytrewq
- poop
- porn
- pot
- potter
- private
- purple
- pussy
- pw
- pwd
- pwned
- quidditch
- qwer
- qwerty
- qwerty123
- qwertyuiop
- r00t
- rain
- rapeme
- rat
- red
- red123
- reseau
- ROOT
- root
- rooted
- sa
- school
- secret
- secrets
- semen
- SERVER
- server
- sex
- share
- sistema
- souris
- sql
- sqlagent
- sql-server
- stacey
- stacy
- Standard
- stefan
- steve
- steven
- student
- super
- superman
- supersecret
- switch
- sybase
- SYSTEM
- system
- teacher
- TEMP
- temp
- tennessee
- Tennessee
- TEST
- Test
- test123
- Texas
- texas
- tim
- tom
- UNIX
- user
- User
- utente
- Utente
- utilisateur
- Utilisateur
- vagina
- Verwalter
- w33d
- washington
- Washington
- web
- webmaster
- weed
- werty
- west
- West
- wet
- wh0re
- whiskey
- whisky
- whore
- win
- windows2k
- windows98
- windowsME
- WindowsXP
- windoze
- wmd
- work
- workplace
- wwwadmin
- x
- xp
- xxx
- xxyyzz
- xyz
- yellow
- yxcv
- z
- zxcv
- zxcvbnm
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Gaobot.AFJ (Symantec)
- W32/Gaobot.PX.worm (Panda)
- Win32.Agobot.TU (Panda)
- WORM_AGOBOT.JF (Trend)
Characteristics
Characteristics -
--Update 6th May, 2004--
There have been more variants of W32/Gaobot.worm exploiting this MS04-011 vulnerability reported recently. The worm is stealthy by nature and may not be visible in the process or service lists. It drops a HOSTS file detected as Qhosts.apd
. The generic detection for these variants have been added as W32/Gaobot.worm.gen.h
.
--
At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week.
W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)). This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.
For maximum protection against the Gaobot family, users are recommended to:
- use the latest engine/DATs combination
- ensure the scanning of compressed files is enabled
- keep Windows systems patched by using Windows Update
- ensure weak username/passwords are not used
- run a personal desktop firewall application
The virus contains lots of remote access functionality, including:
- Create/Remove services
- Denial of service attack
- FTP/HTTP functions (upload, download files, etc)
- IRC functions
- Retrieve system information (RAM, CPU, Disk Space)
- Secure/insecure Windows shares
- Shutdown/reboot/logoff computer
- Sniffer
- Steal CD and product keys for various products
- Terminate running processes
Symptoms
Symptoms -
When run, this virus copies itself to the %SysDir% directory as msiwin84.exe and creates several registry run keys in order to load itself at system startup.
(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Microsoft Update" = msiwin84.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "Microsoft Update" = msiwin84.exe
The virus attempts to run a speed test for Internet connectivity. The following domains are contacted to check for broadband connections:
- de.yahoo.com
- nitro.ucsc.edu
- verio.fr
- www.1und1.de
- www.above.net
- www.belwue.de
- www.burst.net
- www.cogentco.com
- www.d1asia.com
- www.level3.com
- www.lib.nthu.edu.tw
- www.nifty.com
- www.nocster.com
- www.rit.edu
- www.ryan1918.com
- www.ryan1918.net
- www.ryan1918.org
- www.schlund.net
- www.st.lib.keio.ac.jp
- www.stanford.edu
- www.switch.ch
- www.utwente.nl
- www.verio.com
- www.xo.net
- yahoo.co.jp
The virus attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:
- malalala.bin-laden.cc
This threat is reliant upon connecting to this IRC server, and receiving spread commands in order to propagate. At the time of this writing, the DNS entry for this domain has been set to 0.0.0.0, therefore crippling this threat.
Infected systems list on two random TCP ports, which are control ports for attackers to exploit.
The local HOSTS file (%SysDir%\drivers\etc\hosts) is overwriten to block access to the following sites (note this file is detected with current DAT files as Qhosts.apd ):
- avp.com
- ca.com
- customer.symantec.com
- dispatch.mcafee.com
- download.mcafee.com
- f-secure.com
- kaspersky.com
- kaspersky-labs.com
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- mast.mcafee.com
- mcafee.com
- my-etrust.com
- nai.com
- networkassociates.com
- rads.mcafee.com
- secure.nai.com
- securityresponse.symantec.com
- sophos.com
- symantec.com
- trendmicro.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- viruslist.com
- viruslist.com
- www.avp.com
- www.ca.com
- www.f-secure.com
- www.grisoft.com
- www.kaspersky.com
- www.mcafee.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.com
It also attempts to terminate the following processes:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- 53ARCH.EXE
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APORTS.EXE
- APVXDWIN.EXE
- ARMKILLER
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AV.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWIN95.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BCW.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- Claw95.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CLIENT.EXE
- CMD32.EXE
- CMESYS.EXE
- CMGRDIAN.EXE
- CMON016.EXE
- CONDOM.EXE
- CONNECTIONMONITOR.EXE
- CPD.EXE
- CPF9X206.EXE
- CPFNT206.EXE
- CRACKER.EXE
- CTRL.EXE
- CV.EXE
- CWNB181.EXE
- CWNTDWMO.EXE
- DATEMANAGER.EXE
- DCOMX.EXE
- DEBUG.EXE
- DEFALERT.EXE
- DEFSCANGUI.EXE
- DEFWATCH.EXE
- DEPUTY.EXE
- DIVX.EXE
- DLLCACHE.EXE
- DLLREG.EXE
- DOORS.EXE
- DPF.EXE
- DPFSETUP.EXE
- DPPS2.EXE
- DRWATSON.EXE
- DRWEB32.EXE
- DRWEBUPW.EXE
- DSSAGENT.EXE
- DUMP.EXE
- DVP95.EXE
- DVP95_0.EXE
- ECENGINE.EXE
- EFPEADM.EXE
- EMSW.EXE
- ENT.EXE
- ESAFE.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- ESCANV95.EXE
- ESPWATCH.EXE
- ETHEREAL.EXE
- ETRUSTCIPE.EXE
- EVPN.EXE
- EXANTIVIRUS-CNET.EXE
- EXE.AVXW.EXE
- EXPERT.EXE
- EXPLORE.EXE
- F-AGNT95.EXE
- F-AGOBOT.EXE
- FAMEH32.EXE
- FAST.EXE
- FCH32.EXE
- FIH32.EXE
- FINDVIRU.EXE
- FIREWALL.EXE
- FLOWPROTECTOR.EXE
- FNRB32.EXE
- FPORT.EXE
- FPROT.EXE
- F-PROT.EXE
- F-PROT95.EXE
- FP-WIN.EXE
- FP-WIN_TRIAL.EXE
- FRHED.EXE
- FRW.EXE
- FSAA.EXE
- FSAV.EXE
- FSAV32.EXE
- FSAV530STBYB.EXE
- FSAV530WTBYB.EXE
- FSAV95.EXE
- FSGK32.EXE
- FSM32.EXE
- FSMA32.EXE
- FSMB32.EXE
- F-STOPW.EXE
- FW.EXE
- GATOR.EXE
- GBMENU.EXE
- GBPOLL.EXE
- GENERICS.EXE
- GMT.EXE
- GUARD.EXE
- GUARDDOG.EXE
- HACKTRACERSETUP.EXE
- HBINST.EXE
- HBSRV.EXE
- HIJACKTHIS.EXE
- HONEYD.EXE
- HOTACTIO.EXE
- HOTPATCH.EXE
- HTLOG.EXE
- HTPATCH.EXE
- HWPE.EXE
- HXDL.EXE
- HXIUL.EXE
- IAMAPP.EXE
- IAMSERV.EXE
- IAMSTATS.EXE
- IBMASN.EXE
- IBMAVSP.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPP95.EXE
- ICSUPPNT.EXE
- IDLE.EXE
- IEDLL.EXE
- IEDRIVER.EXE
- IEXPLORER.EXE
- IFACE.EXE
- IFW2000.EXE
- IISLOCKD.exe
- INETLNFO.EXE
- INFUS.EXE
- INFWIN.EXE
- INIT.EXE
- INTDEL.EXE
- INTREN.EXE
- IOMON98.EXE
- IPARMOR.EXE
- IRIS.EXE
- ISASS.EXE
- ISRV95.EXE
- ISTSVC.EXE
- JAMMER.EXE
- JDBGMRG.EXE
- JEDI.EXE
- KAVLITE40ENG.EXE
- KAVPERS40ENG.EXE
- KAVPF.EXE
- KAZZA.EXE
- KD.EXE
- KEENVALUE.EXE
- KERIO-PF-213-EN-WIN.EXE
- KERIO-WRL-421-EN-WIN.EXE
- KERIO-WRP-421-EN-WIN.EXE
- KERNEL32.EXE
- KILLPROCESSSETUP161.EXE
- LAUNCHER.EXE
- LDNETMON.EXE
- LDPRO.EXE
- LDPROMENU.EXE
- LDSCAN.EXE
- LNETINFO.EXE
- LOADER.EXE
- LOCALNET.EXE
- LOCKDOWN.EXE
- LOCKDOWN2000.EXE
- LOGGER.EXE
- LOGVIEWER.EXE
- LOOKOUT.EXE
- LORDPE.EXE
- LSETUP.EXE
- LUALL.EXE
- LUAU.EXE
- LUCOMSERVER.EXE
- LUINIT.EXE
- LUSPT.EXE
- MAPISVC32.EXE
- MCAGENT.EXE
- MCMNHDLR.EXE
- MCSHIELD.EXE
- MCTOOL.EXE
- MCUPDATE.EXE
- MCVSRTE.EXE
- MCVSSHLD.EXE
- MD.EXE
- MFIN32.EXE
- MFW2EN.EXE
- MFWENG3.02D30.EXE
- MGAVRTCL.EXE
- MGAVRTE.EXE
- MGHTML.EXE
- MGUI.EXE
- MINILOG.EXE
- MMOD.EXE
- MONITOR.EXE
- MOOLIVE.EXE
- MOSTAT.EXE
- MPFAGENT.EXE
- MPFSERVICE.EXE
- MPFTRAY.EXE
- MRFLUX.EXE
- MSAPP.EXE
- MSBB.EXE
- MSBLAST.EXE
- MSCACHE.EXE
- MSCCN32.EXE
- MSCMAN.EXE
- MSCONFIG.EXE
- MSDM.EXE
- MSDOS.EXE
- MSIEXEC16.EXE
- MSINFO32.EXE
- MSLAUGH.EXE
- MSMGT.EXE
- MSMSGRI32.EXE
- MSSMMC32.EXE
- MSSYS.EXE
- MSVXD.EXE
- MU0311AD.EXE
- MWATCH.EXE
- N32SCANW.EXE
- NAV.EXE
- NAVAP.NAVAPSVC.EXE
- NAVAPSVC.EXE
- NAVAPW32.EXE
- NAVDX.EXE
- NAVENGNAVEX15.NAVLU32.EXE
- NAVLU32.EXE
- NAVNT.EXE
- NAVSTUB.EXE
- NAVW32.EXE
- NAVWNT.EXE
- NC2000.EXE
- NCINST4.EXE
- NDD32.EXE
- NEOMONITOR.EXE
- NEOWATCHLOG.EXE
- NETARMOR.EXE
- NETD32.EXE
- NETINFO.EXE
- NETMON.EXE
- NETSCANPRO.EXE
- NETSPYHUNTER-1.2.EXE
- NETSTAT.EXE
- NETUTILS.EXE
- NETWORKACTIVSNIFFERV1.4.EXE
- NISSERV.EXE
- NISUM.EXE
- NMAIN.EXE
- NOD32.EXE
- NOD32CC.EXE
- NOD32M2.EXE
- NORMIST.EXE
- NORTON_INTERNET_SECU_3.0_407.EXE
- NOTSTART.EXE
- NPF40_TW_98_NT_ME_2K.EXE
- NPFMESSENGER.EXE
- NPROTECT.EXE
- NPSCHECK.EXE
- NPSSVC.EXE
- NSCHED32.EXE
- NSSYS32.EXE
- NSTASK32.EXE
- NSUPDATE.EXE
- NT.EXE
- NTRTSCAN.EXE
- NTVDM.EXE
- NTXconfig.EXE
- NUI.EXE
- NUPGRADE.EXE
- NVARCH16.EXE
- NVC95.EXE
- NVSVC32.EXE
- NWINST4.EXE
- NWSERVICE.EXE
- NWTOOL16.EXE
- OLLYDBG.EXE
- ONSRVR.EXE
- OPTIMIZE.EXE
- OSTRONET.EXE
- OTFIX.EXE
- OUTPOST.EXE
- OUTPOSTINSTALL.EXE
- OUTPOSTPROINSTALL.EXE
- PADMIN.EXE
- PANIXK.EXE
- PATCH.EXE
- PAVCL.EXE
- PAVPROXY.EXE
- PAVSCHED.EXE
- PAVW.EXE
- PCC2002S902.EXE
- PCC2K_76_1436.EXE
- PCCIOMON.EXE
- PCCNTMON.EXE
- PCCWIN97.EXE
- PCCWIN98.EXE
- PCDSETUP.EXE
- PCFWALLICON.EXE
- PCIP10117_0.EXE
- PCSCAN.EXE
- PDSETUP.EXE
- PEDASM.EXE
- PENIS.EXE
- PERISCOPE.EXE
- PERSFW.EXE
- PERSWF.EXE
- PF2.EXE
- PFWADMIN.EXE
- PGMONITR.EXE
- PINGSCAN.EXE
- PLATIN.EXE
- PMDUMP.EXE
- PMON
- POP3TRAP.EXE
- POPROXY.EXE
- POPSCAN.EXE
- PORTDETECTIVE.EXE
- PORTMONITOR.EXE
- POWERSCAN.EXE
- PPINUPDT.EXE
- PPTBC.EXE
- PPVSTOP.EXE
- PRIZESURFER.EXE
- PRMT.EXE
- PRMVR.EXE
- PROCDUMP.EXE
- PROCESSMONITOR.EXE
- PROCEXPLORERV1.0.EXE
- PROGRAMAUDITOR.EXE
- PROPORT.EXE
- PROTECTX.EXE
- PSPF.EXE
- PURGE.EXE
- PUSSY.EXE
- PVIEW95.EXE
- QCONSOLE.EXE
- QSERVER.EXE
- RAPAPP.EXE
- RAV7.EXE
- RAV7WIN.EXE
- RAV8WIN32ENG.EXE
- RAY.EXE
- RB32.EXE
- RCSYNC.EXE
- REALMON.EXE
- REGCLEANER.EXE
- REGED.EXE
- REGEDIT.EXE
- REGEDT32.EXE
- RERGCLEANR.EXE
- RESCUE.EXE
- RESCUE32.EXE
- RRGUARD.EXE
- RSHELL.EXE
- RTVSCAN.EXE
- RTVSCN95.EXE
- RULAUNCH.EXE
- RUN32DLL.EXE
- RUNDLL.EXE
- RUNDLL16.EXE
- RUXDLL32.EXE
- SAFEWEB.EXE
- SAHAGENT.EXE
- SAVE.EXE
- SAVENOW.EXE
- SBSERV.EXE
- SC.EXE
- SCAM32.EXE
- SCAN32.EXE
- SCAN95.EXE
- SCANPM.EXE
- SCRSCAN.EXE
- SCRSVR.EXE
- SCVHOST.EXE
- SD.EXE
- SERV95.EXE
- SERVICE.EXE
- SERVLCE.EXE
- SERVLCES.EXE
- SETUP_FLOWPROTECTOR_US.EXE
- SETUPVAMEEVAL.EXE
- SFC.EXE
- SGSSFW32.EXE
- SH.EXE
- SHELLSPYINSTALL.EXE
- SHN.EXE
- SHOWBEHIND.EXE
- SMC.EXE
- SMS.EXE
- SMSS32.EXE
- SOAP.EXE
- SOFI.EXE
- SPERM.EXE
- SPF.EXE
- SPHINX.EXE
- SPOLER.EXE
- SPOOLCV.EXE
- SPOOLSV32.EXE
- SPYXX.EXE
- SREXE.EXE
- SRIN.EXE
- SRNG.EXE
- SS3EDIT.EXE
- SSG_4104.EXE
- SSGRATE.EXE
- ST2.EXE
- START.EXE
- STCLOADER.EXE
- SUPFTRL.EXE
- SUPPORT.EXE
- SUPPORTER5.EXE
- SVC.EXE
- SVCHOSTC.EXE
- SVCHOSTS.EXE
- SVSHOST.EXE
- SWEEP95.EXE
- SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
- SYMPROXYSVC.EXE
- SYMTRAY.EXE
- SYSEDIT.EXE
- SYSTEM.EXE
- SYSTEM32.EXE
- SYSUPD.EXE
- TASKMG.EXE
- TASKMO.EXE
- TASKMON.EXE
- TAUMON.EXE
- TBSCAN.EXE
- TC.EXE
- TCA.EXE
- TCM.EXE
- TCPVIEW.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- TDS-3.EXE
- TEEKIDS.EXE
- TEST.EXE
- TFAK.EXE
- TFAK5.EXE
- TGBOB.EXE
- TITANIN.EXE
- TITANINXP.EXE
- TRACERT.EXE
- TRICKLER.EXE
- TRJSCAN.EXE
- TRJSETUP.EXE
- TROJANTRAP3.EXE
- TSADBOT.EXE
- TVMD.EXE
- TVTMD.EXE
- UNDOBOOT.EXE
- UPDAT.EXE
- UPDATE.EXE
- UPGRAD.EXE
- UTPOST.EXE
- VBCMSERV.EXE
- VBCONS.EXE
- VBUST.EXE
- VBWIN9X.EXE
- VBWINNTW.EXE
- VCSETUP.EXE
- VET32.EXE
- VET95.EXE
- VETTRAY.EXE
- VFSETUP.EXE
- VIR-HELP.EXE
- VIRUSMDPERSONALFIREWALL.EXE
- VNLAN300.EXE
- VNPC3000.EXE
- VPC32.EXE
- VPC42.EXE
- VPFW30S.EXE
- VPTRAY.EXE
- VSCAN40.EXE
- VSCENU6.02D30.EXE
- VSCHED.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSISETUP.EXE
- VSMAIN.EXE
- VSMON.EXE
- VSSTAT.EXE
- VSWIN9XE.EXE
- VSWINNTSE.EXE
- VSWINPERSE.EXE
- W32DSM89.EXE
- W9X.EXE
- WATCHDOG.EXE
- WEBDAV.EXE
- WEBSCANX.EXE
- WEBTRAP.EXE
- WFINDV32.EXE
- WGFE95.EXE
- WHOSWATCHINGME.EXE
- WIMMUN32.EXE
- WIN32.EXE
- WIN32US.EXE
- WINACTIVE.EXE
- WIN-BUGSFIX.EXE
- WINDBG.EXE
- WINDOW.EXE
- WINDOWS.EXE
- WINDUMP.EXE
- WININETD.EXE
- WININIT.EXE
- WININITX.EXE
- WINLOGIN.EXE
- WINMAIN.EXE
- WINNET.EXE
- WINPPR32.EXE
- WINRECON.EXE
- WINSERVN.EXE
- WINSSK32.EXE
- WINSTART.EXE
- WINSTART001.EXE
- WINTSK32.EXE
- WINUPDATE.EXE
- WKUFIND.EXE
- WNAD.EXE
- WNT.EXE
- WRADMIN.EXE
- WRCTRL.EXE
- WSBGATE.EXE
- WUPDATER.EXE
- WUPDT.EXE
- WYVERNWORKSFIREWALL.EXE
- XPF202EN.EXE
- ZAPRO.EXE
- ZAPSETUP3001.EXE
- ZATUTOR.EXE
- ZONALM2601.EXE
- ZONEALARM.EXE
Method of Infection
Method of Infection -
This worm propagates via accessible or poorly secured network shares, and is intended to take advantage of high profile exploits.
When it attempts to spread through administrative shares:
- c
- c$
- d$
- e$
- admin$
- print$
The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:
- !@#$%^&*
- !@#$%^&
- !@#$%^
- !@#$%
- !@#$
- 000000
- 00000000
- 007
- 110
- 111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 1776
- 1778
- 2002
- 2004
- 23
- 2525
- 2600
- 42
- 54321
- 654321
- 666
- 69
- 88888888
- aaa
- abc
- abc123
- abcd
- ACCESS
- Admin
- admin
- admin123
- administrador
- Administrador
- Administrateur
- ADMINISTRATOR
- administrator
- Administrator
- admins
- alpha
- ami
- amie
- anonymous
- asdf
- asdfgh
- asdfghjkl
- askaban
- ASP
- athlon
- azerty
- azkaban
- baby
- backdoor
- BACKUP
- backup
- ball
- beer
- benutzer
- Benutzer
- biere
- bill
- black
- blowjob
- blue
- bong
- Box
- BOX
- box
- buckbeak
- calcolatore
- carte
- cauldron
- cederom
- changeme
- child
- clit
- CNN
- colin
- computadora
- computer
- condom
- Convidado
- Coordinatore
- copin
- copine
- crash
- cum
- data
- database
- Default
- Dell
- dementor
- devil
- dick
- dope
- drop
- drugs
- dude
- dumbledore
- ecran
- enable
- erik
- fanny
- feds
- fish
- foobar
- fool
- freak
- f**k
- f**ked
- f**kyou
- f**k-you
- gast
- Gast
- gay
- george
- god
- godblessyou
- gryffindor
- Guest
- hagrid
- harry
- hax
- hermine
- hermione
- hogwarts
- hole
- home
- homework
- idiot
- ihavenopass
- imprimeur
- Internet
- Inviter
- iraq
- jackdaniels
- jim
- kanri
- kanri-sha
- karl
- kate
- kids
- kt
- lab
- leet
- linux
- LOCAL
- Login
- lol
- love
- madre
- mark
- mary
- master
- merde
- metal
- mgmt
- mice
- mike
- mince
- moonshine
- mouse
- mybaby
- mybox
- mygirl
- myhole
- mypass
- mypc
- mysql
- newfie
- newfy
- nigger
- noob
- null
- OEM
- office
- oil
- opteron
- oracle
- ordinateur
- Ospite
- own
- owned
- OWNER
- owner
- Owner
- pass
- PASSWD
- passwd
- Password
- password
- password123
- pat
- patrick
- pc
- penis
- peter
- PHP
- pink
- poiut
- poiuytrewq
- poop
- porn
- pot
- potter
- private
- purple
- pussy
- pw
- pwd
- pwned
- quidditch
- qwer
- qwerty
- qwerty123
- qwertyuiop
- r00t
- rain
- rapeme
- rat
- red
- red123
- reseau
- ROOT
- root
- rooted
- sa
- school
- secret
- secrets
- semen
- SERVER
- server
- sex
- share
- sistema
- souris
- sql
- sqlagent
- sql-server
- stacey
- stacy
- Standard
- stefan
- steve
- steven
- student
- super
- superman
- supersecret
- switch
- sybase
- SYSTEM
- system
- teacher
- TEMP
- temp
- tennessee
- Tennessee
- TEST
- Test
- test123
- Texas
- texas
- tim
- tom
- UNIX
- user
- User
- utente
- Utente
- utilisateur
- Utilisateur
- vagina
- Verwalter
- w33d
- washington
- Washington
- web
- webmaster
- weed
- werty
- west
- West
- wet
- wh0re
- whiskey
- whisky
- whore
- win
- windows2k
- windows98
- windowsME
- WindowsXP
- windoze
- wmd
- work
- workplace
- wwwadmin
- x
- xp
- xxx
- xxyyzz
- xyz
- yellow
- yxcv
- z
- zxcv
- zxcvbnm
Removal -
Removal -
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
