What is the Gaobot.WO worm?

Gaobot.WO is a variant of Gaobot.gen. It attempts to spread through network shares that have weak passwords. It also allows attackers to access an infected computer through a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
• The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
• The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.

Also known as: Backdoor.Agobot.lh, W32/Gaobot.worm.gen.g

How Does Gaobot.WO Infect My System?

When Gaobot.WO runs, it does the following:

1. Copies and executes itself as %System%\Netlink32.exe.
   
   
2. Adds the value:
   
   "NetLink"="netlink32.exe"
   
   to the registry keys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
   RunServices
   
   so that the worm runs when you start Windows.
   
   
3. Ends the processes that are associated with antivirus and firewall software. Refer to "Processes" at the end of this section for a list of the process names.
   
   
4. Attempts to end the following processes, which are associated with other worms:
   • taskmon.exe
   • bbeagle.exe
   • d3dupdate.exe
   • winsys.exe
   • ssate.exe
   • i11r54n4.exe
   • rate.exe
   • irun4.exe
   • Ssate.exe
     
     
5. Appends the following lines to the infected computer's hosts file:
   
   127.0.0.1 www.trendmicro.com
   127.0.0.1 trendmicro.com
   127.0.0.1 rads.mcafee.com
   127.0.0.1 customer.symantec.com
   127.0.0.1 liveupdate.symantec.com
   127.0.0.1 us.mcafee.com
   127.0.0.1 updates.symantec.com
   127.0.0.1 update.symantec.com
   127.0.0.1 www.nai.com
   127.0.0.1 nai.com
   127.0.0.1 secure.nai.com
   127.0.0.1 dispatch.mcafee.com
   127.0.0.1 download.mcafee.com
   127.0.0.1 www.my-etrust.com
   127.0.0.1 my-etrust.com
   127.0.0.1 mast.mcafee.com
   127.0.0.1 ca.com
   127.0.0.1 www.ca.com
   127.0.0.1 networkassociates.com
   127.0.0.1 www.networkassociates.com
   127.0.0.1 avp.com
   127.0.0.1 www.kaspersky.com
   127.0.0.1 www.avp.com
   127.0.0.1 kaspersky.com
   127.0.0.1 www.f-secure.com
   127.0.0.1 f-secure.com
   127.0.0.1 viruslist.com
   127.0.0.1 www.viruslist.com
   127.0.0.1 liveupdate.symantecliveupdate.com
   127.0.0.1 mcafee.com
   127.0.0.1 www.mcafee.com
   127.0.0.1 sophos.com
   127.0.0.1 www.sophos.com
   127.0.0.1 symantec.com
   127.0.0.1 securityresponse.symantec.com
   127.0.0.1 www.symantec.com
   
   
6. Connects to a predetermined IRC channel, using its own IRC client, and listens for commands.
   
   The worm can:
   
   • Take a screenshot of the system
   • Change the IRC server to which the worm connects
   • Force a connection to a specified IRC channel
   • Terminate the worm
   • Have the worm send messages to people or channels on IRC
   • Instruct the worm to send files from the system to the specified user over IRC (DCC Send)
   • Download and execute files
   • Steal system information
   • Harvest email addresses
   • Steal CD keys for various games
   • Connect to FTP servers to upload files
   • Terminate processes (other than those mentioned in step 4)
   • Connect to other systems using SSH
   • Run the worm as a SOCKS proxy server and make connections. These connections will then appear to have come from an infected computer instead of the attacker.
     
     
7. Attempts to spread to other computers by exploiting the following vulnerabilities:
   • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
   • The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445
   • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
   • The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445
     
     
8. Uses various user names and weak passwords. It also uses the user names found using NetUserEnum() to probe these shares:
   
   • admin$
   • ipc$
   • c$
   • d$
   • e$
     
     
9. Copies itself to any computers it compromised using the previously mentioned exploits.
   
   
10. If you go to www.paypal.com, it tries to steal PayPal login information by logging keystrokes. The worm can also be instructed to steal login information for several AOL services, including AOL Instant Messenger service (AIM).

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• 53ARCH.EXE
• APORTS.EXE
• ARMKILLER
• AUTO-PROTECT.NAV80TRY.EXE
• ......

How to Remove the Gaobot.WO worm?

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to Disable System Restore in Windows ME or Windows XP.

2. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

• For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. 
• For Windows NT 4 users, restart the computer in VGA mode.

Follow the instructions for your operating system:

• Windows 95/98/Me/NT/2000
  1. Click Start, point to Find or Search, and then click Files or Folders.
  2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
  3. In the "Named" or "Search for..." box, type:
     
     hosts
     
     
  4. Click Find Now or Search Now.
  5. For each one that you find, note its location. (This is displayed in the "In Folder" column.)
  6. Right-click each file, and then click "Open With."
  7. Deselect the "Always use this program to open this program" check box.
  8. Scroll through the list of programs and double-click Notepad.
  9. When the file opens, delete all the entries in the Hosts file, except for the following line:
     
     127.0.0.1     localhost
     
     
  10. Close Notepad and save your changes when prompted.
      
      
• Windows XP
  1. Click Start, and then click Search.
  2. Click All files and folders.
  3. In the "All or part of the file name" box, type:
     
     hosts
     
     
  4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
  5. Click "More advanced options."
  6. Check "Search system folders."
  7. Check "Search subfolders."
  8. Click Search.
  9. Click Find Now or Search Now.
  10. For each one that you find, note its location. (This is displayed in the "In Folder" column.)
  11. Right-click each file, and then click "Open With."
  12. Deselect the "Always use this program to open this program" check box.
  13. Scroll through the list of programs and double-click Notepad.
  14. When the file opens, delete all the entries in the Hosts file except for the following line:
      
      127.0.0.1     localhost
      
      
  15. Close Notepad and save your changes when prompted.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value:
   
   "NetLink"="netlink32.exe"
   
   
5. Do one of the following:
   • Windows NT/2000/XP. Skip to step h.
   • Windows 95/98/Me. Proceed with step f.
     
     
6. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
   RunServices
   
   
7. In the right pane, delete the value:
   
   "NetLink"="netlink32.exe"
   
   
8. Exit the Registry Editor.
   
   
9. Restart the computer in Normal mode. 

5. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

6. Scanning for and deleting the infected files

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Gaobot.WO, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Variants: