McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Gaobot.worm.ak

This page shows details and results of our analysis on the malware W32/Gaobot.worm.ak

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-10-09

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4298 (2003-10-15)

Updated DAT

4326 (2004-02-18)

 Minimum Engine

5.1.00

File Length

204800

 Description Added

2003-10-10

Description Modified

2003-10-16

Malware Proliferation

Characteristics

Similarly to previous variants ( W32/Gaobot.worm.aa for example), this worm attempts to use several vulnerabilities to spread:

Upon execution, the worm copies itself to %SysDir% as:

  • LSAS.EXE  (204800 bytes)

(Where %SysDir% is the System directory, for example: C:\WINNT\SYSTEM32.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Windows Explorer" = LSAS.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "Windows Explorer" =  LSAS.exe

Symptoms

  •  Existence of the Registry keys and Filenames detailed above
  •  Additional traffic on TCP ports 135 (MS03-026 related) , 445 (MS03-001 related) and 6667.
  • The worm references the NetScheduleJob API call and may create remote Scheduled Tasks on infected systems.
  •  Unexpected network traffic to a remote IRC server
  •  Unexpected traffic to an FTP server to download/update a bot.
  • When going to Add/Remove programs, the list is empty, no icons/description of the installed programs appear and its "close" button doesn't work.
  • Font changes
  • Problems printing
  • Copy & paste functionality might not work properly any more.

  • The worm attempts to terminate the following processes:

    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • ACKWIN32.EXE
    • ANTI-TROJAN.EXE
    • APVXDWIN.EXE
    • AUTODOWN.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCTRL.EXE
    • AVKSERV.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVWIN95.EXE
    • AVWUPD32.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CLAW95.EXE
    • CLAW95CF.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • ECENGINE.EXE
    • ESAFE.EXE
    • ESPWATCH.EXE
    • F-AGNT95.EXE
    • FINDVIRU.EXE
    • FPROT.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • FP-WIN.EXE
    • FRW.EXE
    • F-STOPW.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • IBMASN.EXE
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFACE.EXE
    • IOMON98.EXE
    • JEDI.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LUALL.EXE
    • MOOLIVE.EXE
    • MPFTRAY.EXE
    • N32SCANW.EXE
    • NAVAPW32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORMIST.EXE
    • NUPGRADE.EXE
    • NVC95.EXE
    • OUTPOST.EXE
    • PADMIN.EXE
    • PAVCL.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCCWIN98.EXE
    • PCFWALLICON.EXE
    • PERSFW.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RESCUE.EXE
    • SAFEWEB.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCRSCAN.EXE
    • SERV95.EXE
    • SMC.EXE
    • SPHINX.EXE
    • SWEEP95.EXE
    • TBSCAN.EXE
    • TCA.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VSCAN40.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSSTAT.EXE
    • WEBSCANX.EXE
    • WFINDV32.EXE
    • ZONEALARM.EXE

    • Method of Infection

    This worm propagates via accessible or poorly secured network shares, and is intended to take advantage of two high profile exploits:

    When it attempts to spread through default administrative shares:

    • print$
    • e$
    • d$
    • c$
    • admin$
    • ipc$

    The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

    • 000000
    • 00000000
    • 007
    • 1
    • 110
    • 111
    • 111111
    • 11111111
    • 12
    • 121212
    • 123
    • 123123
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234qwer
    • 123abc
    • 123asd
    • 123qwe
    • 2002
    • 2600
    • 54321
    • 654321
    • 88888888
    • a
    • aaa
    • abc
    • abcd
    • Admin
    • admin
    • Administrador
    • Administrateur
    • administrator
    • Administrator
    • alpha
    • asdf
    • computer
    • database
    • Default
    • Dell
    • enable
    • foobar
    • Gast
    • god
    • godblessyou
    • Guest
    • home
    • ihavenopass
    • Internet
    • Inviter
    • Login
    • love
    • mgmt
    • mypass
    • mypc
    • oracle
    • owner
    • Owner
    • pass
    • passwd
    • Password
    • password
    • pat
    • patrick
    • pc
    • pw
    • pwd
    • qwer
    • root
    • secret
    • server
    • sex
    • Standard
    • super
    • sybase
    • temp
    • test
    • Test
    • User
    • win
    • x
    • xp
    • xxx
    • xyz
    • yxcv
    • zxcv

    Once running on the victim machine the worm also acts as an IRC bot, and attempts to join a channel on an IRC server: Once connected, the bot can receive commands to perform various tasks, such as:

    • Exit the bot
    • Retrieve system information
    • Retrieve the bot's status
    • Open a file
    • Download (via FTP or HTTP) and execute a file
    • Perform a Denial of Service attack

    The worm also tries to steal game software CD keys:

    • Chrome
    • Soldier of Fortune II - Double Helix
    • Neverwinter
    • Nox
    • Tiberian Sun
    • Red Alert 2
    • Red Alert
    • Project IGI 2
    • Command & Conquer Generals
    • Battlefield 1942 Secret Weapons of WWII
    • Battlefield 1942 The Road to Rome
    • Battlefield 1942
    • Nascar 2003
    • Nascar 2002
    • Nascar Racing 2002
    • NHL 2003
    • NHL 2002
    • FIFA 2003
    • FIFA 2002
    • Need For Speed Hot Pursuit 2
    • The Gladiators
    • UT2003
    • LoMaM
    • Counter-Strike
    • Half-Life CDKey

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.

    Variants

    United States - English