Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » HLLW.Gaobot

Overview

Threat Risk NONE NONE
Destructivity MEDIUM MEDIUM
Payload
Detection files published
Description created 22 Apr 2004 05:49:00
Description updated 22 Apr 2004 05:49:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

HLLW.Gaobot

Spreading

When a Gaobot starts it will copy itself to the %SYSTEM% folder using a predefined name. Then it will create two entries in the following registry keys to ensure it is started with Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Gaobots will use various Windows exploits in order to infect a machine, the most common being: Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026) Unchecked Buffer in Locator Service Could Lead to Code Execution (MS03-001) Buffer Overrun in the Workstation Service Could Allow Code Execution (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (MS03-049) The worm will also search for and exploit backdoors created by worms (i.e. Bagle and Mydoom) in order to infect machines. Gaobots also attempt to copy themselves to network shares. If the share has restricted write access then the worm will attempt to log in using a list of usernames and passwords.

Payload Details

Gaobots will join an IRC channel where it sits and waits for commands. The following list includes commands that may be supported by Gaobot variants: Retrieve information about the worm. Terminate or uninstall the worm. Resolve an IP/hostname via DNS. Execute a program or open a file. Change IRC Nick. Log out of the current channel. Display system information. Redirect TCP traffic. Download and optionally execute a file via FTP or HTTP. Upload a file. Machines infected with Gaobot can also be used in a distributed denial of service (DDoS) attack. The supported types of attack are: ICMP flood. UDP flood. SYN flood. HTTP Flood. Targa3 Flood. The worm may also re-enable the following administrative shares on the system: C$ D$ E$ IPC$ ADMIN$ Some Gaobot variants also modify the hosts file to prevent access to anti-virus websites. The most commonly blocked websites are: www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com Finally, Gaobots also attempt to terminate processes associated with anti-virus, firewall and other security software, as well as having the ability to start/stop services.

Analysis

n/a

Removal

Lumension currently detects hundreds of Gaobots, with new variants appearing daily.


Last Updated: 12 Nov 2015 11:06:10