McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Gaobot.worm.ai

This page shows details and results of our analysis on the malware W32/Gaobot.worm.ai

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-10-03

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4297 (2003-10-08)

Updated DAT

4326 (2004-02-18)

 Minimum Engine

5.1.00

File Length

206,336 bytes

 Description Added

2003-10-03

Description Modified

2003-10-03

Malware Proliferation

Characteristics

Similarly to previous variants ( W32/Gaobot.worm.aa for example), this worm attempts to use several vulnerabilities to spread:

Upon execution, the worm copies itself to %SysDir% as:

  • SCVHOST.EXE

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Config Loader" = SCVHOST.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "Config Loader" =  SCVHOST.EXE

As for the previous variant, this worm requires MSVCP60.DLL to run - this is a standard MS Visual C DLL, which if not present on the system, would prevent the worm from executing.

Symptoms

- Existence of the Registry keys and filenames detailed above
- Additional traffic on TCP ports 135 (MS03-026 related) and 445 (MS03-001 related).
- The worm references the NetScheduleJob API call and may create remote Scheduled Tasks on infected systems.
- Unexpected network traffic to following remote IRC server:

  • bunghole.mysqld.com

- Unexpected traffic to the following servers:

  • postmaster.info.aol.com
  • mailin-01.mx.aol.com
  • mailin-02.mx.aol.com
  • mailin-03.mx.aol.com
  • mailin-04.mx.aol.com

  • The worm attempts to terminate the following processes:

    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • ACKWIN32.EXE
    • ANTI-TROJAN.EXE
    • APVXDWIN.EXE
    • AUTODOWN.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCTRL.EXE
    • AVKSERV.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVWIN95.EXE
    • AVWUPD32.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CLAW95.EXE
    • CLAW95CF.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • ECENGINE.EXE
    • ESAFE.EXE
    • ESPWATCH.EXE
    • F-AGNT95.EXE
    • FINDVIRU.EXE
    • FPROT.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • FP-WIN.EXE
    • FRW.EXE
    • F-STOPW.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • IBMASN.EXE
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFACE.EXE
    • IOMON98.EXE
    • JEDI.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LUALL.EXE
    • MOOLIVE.EXE
    • MPFTRAY.EXE
    • N32SCANW.EXE
    • NAVAPW32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORMIST.EXE
    • NUPGRADE.EXE
    • NVC95.EXE
    • OUTPOST.EXE
    • PADMIN.EXE
    • PAVCL.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCCWIN98.EXE
    • PCFWALLICON.EXE
    • PERSFW.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RESCUE.EXE
    • SAFEWEB.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCRSCAN.EXE
    • SERV95.EXE
    • SMC.EXE
    • SPHINX.EXE
    • SWEEP95.EXE
    • TBSCAN.EXE
    • TCA.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VSCAN40.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSSTAT.EXE
    • WEBSCANX.EXE
    • WFINDV32.EXE
    • ZONEALARM.EXE

    • Method of Infection

    This worm propagates via accessible or poorly secured network shares, and is intended to take advantage of two high profile exploits:

    When it attempts to spread through default administrative shares:

    • print$
    • e$
    • d$
    • c$
    • admin$
    • ipc$

    The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

    • 000000
    • 00000000
    • 007
    • 1
    • 110
    • 111
    • 111111
    • 11111111
    • 12
    • 121212
    • 123
    • 123123
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234qwer
    • 123abc
    • 123asd
    • 123qwe
    • 2002
    • 2600
    • 54321
    • 654321
    • 88888888
    • a
    • aaa
    • abc
    • abcd
    • Admin
    • admin
    • Administrador
    • Administrateur
    • administrator
    • Administrator
    • alpha
    • asdf
    • computer
    • database
    • Default
    • Dell
    • enable
    • foobar
    • Gast
    • god
    • godblessyou
    • Guest
    • home
    • ihavenopass
    • Internet
    • Inviter
    • Login
    • love
    • mgmt
    • mypass
    • mypc
    • oracle
    • owner
    • Owner
    • pass
    • passwd
    • Password
    • password
    • pat
    • patrick
    • pc
    • pw
    • pwd
    • qwer
    • root
    • secret
    • server
    • sex
    • Standard
    • super
    • sybase
    • temp
    • test
    • Test
    • User
    • win
    • x
    • xp
    • xxx
    • xyz
    • yxcv
    • zxcv

    Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on the following remote IRC server:

    • bunghole.mysqld.com

    Once connected, the bot can receive commands to perform various tasks, such as:

    • Exit the bot
    • Retrieve system information
    • Retrieve the bot's status
    • Open a file
    • Download (via FTP or HTTP) and execute a file
    • Perform a Denial of Service attack

    The worm also tries to steal game software CD keys:

    • Chrome
    • Soldier of Fortune II - Double Helix
    • Neverwinter
    • Nox
    • Tiberian Sun
    • Red Alert 2
    • Red Alert
    • Project IGI 2
    • Command & Conquer Generals
    • Battlefield 1942 Secret Weapons of WWII
    • Battlefield 1942 The Road to Rome
    • Battlefield 1942
    • Nascar 2003
    • Nascar 2002
    • Nascar Racing 2002
    • NHL 2003
    • NHL 2002
    • FIFA 2003
    • FIFA 2002
    • Need For Speed Hot Pursuit 2
    • The Gladiators
    • UT2003
    • LoMaM
    • Counter-Strike
    • Half-Life CDKey

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    United States - English