HLLW.Gaobot

Threat risk

Threat risk none


Detection files published:	Description created: 2004-04-22	Description updated: 2004-04-22

Malware type: Worm	Alias:	Spreading mechanism Network

Payload:

Summary
Spreading description
Threat description
Removal

Summary

This is a generic description intended to cover common functionality found in the Gaobot series of worms.

Gaobots are rather large and contain a lot of functionality, most spread via Windows exploits and network shares, and will join an IRC channel that attackers can also use to send commands to an infected machine.

Spreading description

When a Gaobot starts it will copy itself to the %SYSTEM% folder using a predefined name. Then it will create two entries in the following registry keys to ensure it is started with Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Gaobots will use various Windows exploits in order to infect a machine, the most common being:

Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026)
Unchecked Buffer in Locator Service Could Lead to Code Execution (MS03-001)
Buffer Overrun in the Workstation Service Could Allow Code Execution (MS03-007)
Unchecked Buffer In Windows Component Could Cause Server Compromise (MS03-049)

The worm will also search for and exploit backdoors created by worms (i.e. Bagle and Mydoom) in order to infect machines.

Gaobots also attempt to copy themselves to network shares. If the share has restricted write access then the worm will attempt to log in using a list of usernames and passwords.

Threat description

Gaobots will join an IRC channel where it sits and waits for commands. The following list includes commands that may be supported by Gaobot variants:

Retrieve information about the worm.
Terminate or uninstall the worm.
Resolve an IP/hostname via DNS.
Execute a program or open a file.
Change IRC Nick.
Log out of the current channel.
Display system information.
Redirect TCP traffic.
Download and optionally execute a file via FTP or HTTP.
Upload a file.

Machines infected with Gaobot can also be used in a distributed denial of service (DDoS) attack. The supported types of attack are:

ICMP flood.
UDP flood.
SYN flood.
HTTP Flood.
Targa3 Flood.

The worm may also re-enable the following administrative shares on the system:

C$
D$
E$
IPC$
ADMIN$

Some Gaobot variants also modify the hosts file to prevent access to anti-virus websites. The most commonly blocked websites are:

www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com

Finally, Gaobots also attempt to terminate processes associated with anti-virus, firewall and other security software, as well as having the ability to start/stop services.

Removal

Norman currently detects hundreds of Gaobots, with new variants appearing daily.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage	Title	Comment
	Stopping network share infectors
	Cleaning of back-up folders on Windows Me and XP

Print page