What
is the Gaobot.SY worm?
Gaobot.SY is a worm that attempts to spread
through network shares that have weak passwords
and allows attackers to access an infected
computer using a predetermined IRC channel.
The worm uses multiple vulnerabilities to
spread, including:
This threat may be compressed with PE Diminisher.
Also known as: W32.HLLW.Gaobot.gen
How
Does Gaobot.SY Infect My System?
When Gaobot.SY runs, it does the following:
- Copies itself as %System%\winhlpp32.exe.
- Adds the value:
"%System%\winhlpp32.exe"
to the registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices
so that the worm runs when you start
Windows.
- Deletes the values:
- "Ssate.exe"
- "rate.exe"
- "d3dupdate.exe"
- "TaskMon"
- "Explorer"
from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
- Terminates the following processes:
- irun4.exe
- i11r54n4.exe
- winsys.exe
- bbeagle.exe
- taskmon.exe
Refer to "Processes" at the end
of this section for a complete list of
processes that W32.Gaobot.SY attempts to
terminate.
- Deletes the following files:
- %System%\irun4.exe
- %System%\i11r54n4.exe
- %System%\winsys.exe
- %System%\bbeagle.exe
- %System%\taskmon.exe
- Delete the service, upnphost.
- Adds the following lines to the
%System%\drivers\etc\hosts file, so that any
attempts to connect to these Web sites fail:
127.0.0.1
www.grisoft.com
127.0.0.1
www.trendmicro.com
127.0.0.1
trendmicro.com
127.0.0.1
rads.mcafee.com
127.0.0.1
us.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1
secure.nai.com
127.0.0.1
dispatch.mcafee.com
127.0.0.1
download.mcafee.com
127.0.0.1
www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1
mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1
networkassociates.com
127.0.0.1
www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1
www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1
kaspersky.com
127.0.0.1
www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1
viruslist.com
127.0.0.1
www.viruslist.com
127.0.0.1 mcafee.com
127.0.0.1
www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1
www.sophos.com
127.0.0.1
updates.symantec.com
127.0.0.1
update.symantec.com
127.0.0.1
customer.symantec.com
127.0.0.1
liveupdate.symantec.com
127.0.0.1 symantec.com
127.0.0.1
securityresponse.symantec.com
127.0.0.1
www.symantec.com
127.0.0.1
liveupdate.symantecliveupdate.com
- Terminates a large number of processes. The
full list of process names can be found at the
bottom of the "Technical Details"
section.
- Attempts to spread to other computers using
a number of methods, including:
- Sending itself to the backdoor port,
which the Beagle family of worms opens.
- Sending itself to the backdoor port,
which the Mydoom family of worms opens.
- Using the WebDAV vulnerability
- Using the RPC DCOM vulnerability
- Using the Workstation service buffer
overrun vulnerability
- Using the Microsoft Messenger Service
Buffer Overrun Vulnerability
- Using the UPnP vulnerability
- Using the Locator service vulnerability
- Using the vulnerabilities in the
Microsoft SQL Server 2000 or MSDE 2000
audit
- Starts an FTP server on a randomly selected
TCP port.
- Connects to an IRC channel and awaits
commands. The worm recognizes a large number
of commands and can be instructed to (among
other things):
- Download and upload files via FTP and
HTTP
- Run commands
- List and terminate processes
- List and terminate services
- Restart the computer
- Perform HTTP, ICMP, SYN, and UDP floods
- Retrieve email addresses stored on the
computer
- Retrieve a list of email addresses via
HTTP
- Retrieve a given URL
- Measure the speed of the infected
computer's Internet connection by sending
HTTP GET request to the following hosts:
- yahoo.co.jp
- www.nifty.com
- www.d1asia.com
- www.st.lib.keio.ac.jp
- www.lib.nthu.edu.tw
- www.above.net
- www.level3.com
- nitro.ucsc.edu
- www.burst.net
- www.cogentco.com
- www.rit.edu
- www.nocster.com
- www.verio.com
- www.stanford.edu
- www.xo.net
- de.yahoo.com
- www.belwue.de
- www.switch.ch
- www.1und1.de
- verio.fr
- www.utwente.nl
- www.schlund.net
- Sniff HTTP, FTP, and IRC traffic
- Disable other worms by deleting their
files, associated registry values, and
terminating their processes.
- Steals the Windows product ID and the CD
keys from some games.
- Tries to copy itself to other computers
through the following shares:
using the following user names and passwords, as
well as any user names found using NetUserEnum():
Usernames:
- aaa
- abc
- Admin
- admin
- administrador
- ......
Passwords:
- !@#$
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- ......
Processes
W32.Gaobot.SY attempts to terminate the following
processes, mentioned in step 4:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- ......
How to Remove the Gaobot.SY worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Gaobot.SY during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Restarting the computer in Safe mode or
VGA mode
Shut down the computer and turn off the power.
Wait for at least 30 seconds, and then restart
the computer in Safe mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode.
- For Windows NT 4 users, restart the computer
in VGA mode.
3. Restoring the Windows Hosts file
Follow the instructions for your operating
system:
- Windows 95/98/Me/NT/2000
- Click Start, point to Find or Search,
and then click Files or Folders.
- Make sure that "Look in" is
set to (C:) and that "Include
subfolders" is checked.
- In the "Named" or "Search
for..." box, type:
hosts
- Click Find Now or Search Now.
- For each one that you find, note its
location. (This is displayed in the
"In Folder" column.)
- Right-click each file, and then click
"Open With."
- Deselect the "Always use this
program to open this program" check
box.
- Scroll through the list of programs and
double-click Notepad.
- When the file opens, delete all the
entries in the Hosts file, except for the
following line:
127.0.0.1
localhost
- Close Notepad and save your changes when
prompted.
- Windows XP
- Click Start, and then click Search.
- Click All files and folders.
- In the "All or part of the file
name" box, type:
hosts
- Verify that "Look in" is set
to "Local Hard Drives" or to
(C:).
- Click "More advanced options."
- Check "Search system folders."
- Check "Search subfolders."
- Click Search.
- Click Find Now or Search Now.
- For each one that you find, note its
location. (This is displayed in the
"In Folder" column.)
- Right-click each file, and then click
"Open With."
- Deselect the "Always use this
program to open this program" check
box.
- Scroll through the list of programs and
double-click Notepad.
- When the file opens, delete all the
entries in the Hosts file except for the
following line:
127.0.0.1
localhost
- Close Notepad and save your changes when
prompted.
4. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to each of the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
- In the right pane, delete any of the
following values:
- "%System%\winhlpp32.exe"
- "Ssate.exe"
- "rate.exe"
- "d3dupdate.exe"
- "TaskMon"
- "Explorer"
- Exit the Registry Editor.
- Restart the computer in Normal mode.
5. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
6. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Gaobot.SY, click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
|
