Content
W32/Gaobot.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 10/15/2002
- Length
- 111,616
- Minimum DAT
- 4230 (10/23/2002)
- Updated DAT
- 5763 (10/06/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 10/21/2002
- Description Modified
- 10/21/2002 4:45 PM (PT)
Tab Navigation
Characteristics
This threat can be detected with DATs prior to 4230 with engine 4.1.60 as "New Backdoor1" if the option to scan with "Program File Heuristics Scanning" is enabled.
This worm may try to act as an IRC Bot, and to spread through KaZaA and network shares. When run, the worm tries to contact a site which now appears to be down, and to grab CD keys for games including Half-Life and Warcraft III.
The worm then copies itself to the WINDOWS SYSTEM directory and references itself in the registry so that it will be loaded again at startup:
"Config Loader" = sysldr32.exe
"Config Loader" = sysldr32.exe
Symptoms
Method of Infection
If it attempts to spread via KaZaA, it may pick possible file-names from a long list of names, especially pertaining to cracked software and pornography, in order to try to entice people into running the file.
If it attempts to spread through open shares, it may try some password-protected shares using its own list of common user-names and passwords.
Removal
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Backdoor.Agobot.01 (AVP)
Characteristics
Characteristics -
This threat can be detected with DATs prior to 4230 with engine 4.1.60 as "New Backdoor1" if the option to scan with "Program File Heuristics Scanning" is enabled.
This worm may try to act as an IRC Bot, and to spread through KaZaA and network shares. When run, the worm tries to contact a site which now appears to be down, and to grab CD keys for games including Half-Life and Warcraft III.
The worm then copies itself to the WINDOWS SYSTEM directory and references itself in the registry so that it will be loaded again at startup:
"Config Loader" = sysldr32.exe
"Config Loader" = sysldr32.exe
Symptoms
Symptoms -
Method of Infection
Method of Infection -
If it attempts to spread via KaZaA, it may pick possible file-names from a long list of names, especially pertaining to cracked software and pornography, in order to try to entice people into running the file.
If it attempts to spread through open shares, it may try some password-protected shares using its own list of common user-names and passwords.
Removal -
Removal -
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
