What
is the Gaobot.YC worm?
Gaobot.YC is a variant of Gaobot.gen
that attempts to spread to network shares and
allows access to an infected computer through an
IRC channel.
The worm uses multiple vulnerabilities to spread,
including:
Gaobot.YC is packed with UPX and IHMOWrap3.
How
Does Gaobot.YC Infect My System?
When Gaobot.YC runs, it does the following:
- Copies itself as %System%\svhst.exe.
- Adds the value:
"Configuration Loader" = "svhst.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Opens a randomly selected TCP port to
connect to an attacker.
- Connects to a predefined IRC channel, using
its own IRC client, and listens for the
commands from an attacker.
- Allows an attacker to remotely control a
compromised computer, allowing him/her to
perform any of the following actions:
- Manage the installation of the worm
- Dynamically update the installed worm
- Download and execute files
- Steal system information
- Send the worm to other IRC users
- Add new accounts
- Remotely schedules a task to run the worm on
a newly infected computer.
- Randomly calculates an IP address and
performs a Distributed Denial of Service (DDoS)
attack against targeted systems.
- Acts as a proxy server to direct attacks
from another machine.
- Sends data to TCP port 135, which exploits
the DCOM RPC vulnerability, or sends data to
TCP port 445 to exploit the RPC locator
vulnerability.
- Probes the following shares:
- admin$
- c$
- d$
- e$
- print$
using the following user names and
passwords, as well as any user names found
using NetUserEnum():
User names:
- a
- aaa
- abc
- asdf
- admin
- Administrador
- Administrateur
- ......
Passwords:
- 0
- 1
- 7
- 12
- 110
- 111
- 123
- 1234
- ......
- Copies itself to any systems it compromised
using the previously mentioned exploits.
- Drops Backdoor.Gaobot to the compromised
network shares, and then executes it.
- Steals the CD keys of the following games:
- Battlefield 1942
- Battlefield 1942 Secret Weapons of WWII
- Battlefield 1942 The Road to Rome
- Command & Conquer Generals
- Counter-Strike
- FIFA 2002
- FIFA 2003
- Half-Life
- Legends of Might and Magic
- Nascar Racing 2002
- Nascar Racing 2003
- Need For Speed Hot Pursuit 2
- Neverwinter
- NHL 2002
- NHL 2003
- Project IGI 2
- Rainbow Six III RavenShield
- Red Alert
- Red Alert 2
- Soldier of Fortune II - Double Helix
- The Gladiators
- Tiberian Sun
- Unreal Tournament 2003
- Westwood\Nox
- Ends the following processes associated with
antivirus and firewall software:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- ACKWIN32.EXE
- ANTI-TROJAN.EXE
- APVXDWIN.EXE
- AUTODOWN.EXE
- AVCONSOL.EXE
- ......
- Attempts to kill some processes associated
with other worms:
- dllhost.exe
- msblast.exe
- mspatch.exe
- penis32.exe
- tftpd.exe
- winhlpp32.exe
- winppr32.exe
- Listens on randomly calculated ports (within
the range of 1000, and one from above 10000)
and waits for other computers to download the
worm.
How to Remove the Gaobot.YC worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Gaobot.YC during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Restarting the computer in Safe mode or
VGA mode
Shut down the computer and turn off the power.
Wait for at least 30 seconds, and then restart
the computer in Safe mode or VGA mode.
- For Windows 95, 98, Me, 2000, or XP users,
restart the computer in Safe mode.
- For Windows NT 4 users, restart the computer
in VGA mode.
3. Reversing the changes made to the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
"Configuration Loader" = "svhst.exe"
- Do one of the following:
- Windows NT/2000/XP. Proceed with step h.
- Windows 95/98/Me. Go to step f.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- In the right pane, delete the value:
"Configuration Loader" = "svhst.exe"
- Exit the Registry Editor.
- Restart the computer in Normal mode.
4. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
5. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Gaobot.YC, click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
| 
