What
is the Gaobot.UL worm?
Gaobot.UL is a variant of Gaobot.gen.
It attempts to spread through network shares that
have weak passwords and allows attackers to
access an infected computer through a
predetermined IRC channel.
The worm uses multiple vulnerabilities to spread,
including:
W32.Gaobot.UL is packed with PE Diminisher.
Also known as: W32/Gaobot.worm.gen.e
How
Does Gaobot.UL Infect My System?
When Gaobot.UL runs, it does the following:
- Copies and executes itself as %System%\regsvc32.exe.
- Adds the value:
"Generic Service
Process"="regsvc32.exe"
to the registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
so that the worm runs when you start
Windows.
- Tries to infect every running process on the
computer. If it succeeds, the
%System%\regsvc32.exe file will be hidden from
inspection by any processes, and all the newly
created processes will be infected in memory.
This could prevent the user from finding the
worm file and deleting it.
- Ends processes associated with antivirus and
firewall software. Refer to
"Processes" at the end of the
"Technical Details" section for a
full list of process names.
- Attempts to end the following processes,
which are associated with other worms:
- taskmon.exe
- bbeagle.exe
- d3dupdate.exe
- winsys.exe
- ssate.exe
- i11r54n4.exe
- rate.exe
- irun4.exe
- Ssate.exe
- Appends the following lines to the infected
computer's hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
so that attempts to contact any of these URLs
is redirected to the local computer.
- Connects to a predetermined IRC channel,
using its own IRC client, and listens for
commands. Some of examples of commands are:
- Taking a screenshot of the system
- Changing the IRC server to which the
worm connects
- Forcing a connection to a specified IRC
channel
- Terminating the worm
- Having the worm send messages to people
or channels on IRC
- Instructing the worm to send files from
the system to the specified user over IRC
(DCC Send)
- Downloading and executing files
- Stealing system information
- Harvesting email addresses
- Stealing CD keys for various games
- Connecting to FTP servers to upload
files
- Terminating processes (other than those
mentioned in step 4)
- Connecting to other systems using SSH
- Running the worm as a SOCKS proxy
server, making connections, which
attackers make, appear to come from the
infected system.
- Attempts to spread to other computers by
exploiting the following vulnerabilities:
- Probes the following shares:
- c$
- d$
- e$
- print$
using various user names and weak passwords,
as well as any user names found using
NetUserEnum():
- Copies itself to any computers it
compromised using the above exploits.
- Attempts to steal login information for
PayPal by logging keystrokes, if a user of an
infected computer visits http:/ /www.paypal.com.
The worm can also be instructed to steal login
information for America Online's Instant
Messenger (AIM) service, as well as other
login information for various AOL services.
Processes
W32.Gaobot.UL attempts to terminate the following
processes, mentioned in step 4:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- 53ARCH.EXE
- APORTS.EXE
- ARMKILLER
- AUTO-PROTECT.NAV80TRY.EXE
- ......
How to Remove the Gaobot.UL worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Gaobot.UL during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Restarting the computer in Safe mode or
VGA mode
Shut down the computer and turn off the power.
Wait for at least 30 seconds, and then restart
the computer in Safe mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode.
- For Windows NT 4 users, restart the computer
in VGA mode.
3. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
- In the right pane, delete the value:
"Generic Service
Process"="regsvc32.exe"
- Exit the Registry Editor.
- Restart the computer in Normal mode.
4. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
5. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Gaobot.UL, click Delete.
6. Deleting the added lines from the Windows
Hosts file
Follow the instructions for your operating
system:
- Windows 95/98/Me/NT/2000
- Click Start, point to Find or Search,
and then click Files or Folders.
- Make sure that "Look in" is
set to (C:) and that "Include
subfolders" is checked.
- In the "Named" or "Search
for..." box, type:
hosts
- Click Find Now or Search Now.
- For each one that you find, note its
location. (This is displayed in the
"In Folder" column.)
- Right-click each file, and then click
"Open With."
- Deselect the "Always use this
program to open this program" check
box.
- Scroll through the list of programs and
double-click Notepad.
- When the file opens, delete all the
entries in the Hosts file, except for the
following line:
127.0.0.1
localhost
- Close Notepad and save your changes when
prompted.
- Windows XP
- Click Start, and then click Search.
- Click All files and folders.
- In the "All or part of the file
name" box, type:
hosts
- Verify that "Look in" is set
to "Local Hard Drives" or to
(C:).
- Click "More advanced options."
- Check "Search system folders."
- Check "Search subfolders."
- Click Search.
- Click Find Now or Search Now.
- For each one that you find, note its
location. (This is displayed in the
"In Folder" column.)
- Right-click each file, and then click
"Open With."
- Deselect the "Always use this
program to open this program" check
box.
- Scroll through the list of programs and
double-click Notepad.
- When the file opens, delete all the
entries in the Hosts file except for the
following line:
127.0.0.1
localhost
- Close Notepad and save your changes when
prompted.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
|
