[unisog] Info on Gaobot.AFJ
eckman at umn.edu
Thu Apr 29 21:14:24 GMT 2004
I know some Universities are seeing hosts infected with Gaobot.AFJ, and
more with variants just like it. I have analyzed what Symantec detects
as Gaobot.AFJ, and have some details that people might find helpful.
First off, it really should be called Polybot/Phatbot and not
Gaobot/Agobot. Second, it is mostly like what McAfee is calling
W32/Gaobot.worm.ali. I'll outline differences below:
McAfee URL (I've posted it here before, recently :)
I've seen it as
Both files are essentially the same, but the MD5s are different. This is
probably because Polybot is polymorphic. The registry keys are just like
McAfee's writeup, except they will be like:
CurrentVersion\Run "Microsoft Update" = wmipsvsc.exe
CurrentVersion\RunServices "Microsoft Update" = wmipsvsc.exe
It tries to connect to three different DNS names to find its DNS
controller. It tries:
ph4tbackupz4.alt-bin.com:7000/tcp (126.96.36.199, status: host down)
ph4tbackupz4.no-ip.info:7000/tcp (188.8.131.52, status: host up, no
IRC server present)
It is possible that 7000/tcp will actually be stunnel, pointing to
6667/tcp on the same host. This is presumably to encrypt the IRC traffic
to make the botnet harder to find. Variants of Gaobot/Polybot have been
doing this for some time, often using 1331/tcp for stunnel.
If Gaobot.AFJ can connect to it's IRC server, it will be fully active.
It will look for a huge list of running processes, and terminate them if
they are running. Processes include AntiVirus software, Ethereal,
MSconfig, Regedit, etc. (some or all of these processes might be
terminated even before it connects to the IRC server). However, it
searches for active processes by name, so if you make a copy of
regedit.exe and call it something different, it should run. You can then
remove the keys for wmipsvsc.exe and reboot. Then, the file will no
longer be hidden from Windows (it hides itself, but cannot do that if it
is not running), and you can delete it from a command prompt, Explorer,
Note that the above paragraph is likely relevant for any modern variant
of Polybot. Replace wmipsvsc.exe with whatever name your variant is
using, and it will often work.
Note that all variants of Gaobot/Polybot allow the IRC channel op to
download and install additional software on infected computers, so the
above might not be all that is needed to make a computer "clean".
Remember also that these newer variants are sniffing and sending screen
captures back to the IRC channel op, so users should change passwords on
a clean computer ASAP after infection is noticed.
There are several variants of this same type of worm out there, and they
are successfully exploiting the LSASS flaw in MS04-011 as one method of
spreading. We all likely have hundreds or even thousands of unpatched
hosts on our network, so prevention is ideal, but early detection of
infected hosts on your network is an absolute *must* if you want to
contain this. Polybot variants may try to spread via various exploits
over TCP ports 80, 135, 139, 445, 1434, 2745, 3127, 3410, 5000, 6129,
and others I've forgotten or just missed. Note it is almost always a
subset of those ports/vulnerabilities, and not every single one. Fully
patched machines are not necessarily safe, as it throws a laundry list
of username/password combos at hosts trying to get in via "weak"
passwords. Some of the passwords it tries are not ones some admins would
You absolutely cannot count on antivirus software to protect you from
gaobot/polybot. New variants are coming out daily. McAfee reports that
there have been over 900 variants so far, and most of which have likely
come in the last six months.
If you don't think you have or have had a gaobot problem, I fear you
might be dead wrong. This is one of the most successful worms in history
that nobody has heard of. Check for flows to bogon hosts such as
184.108.40.206, 10.0.1.128 and 220.127.116.11. Common TCP ports used for the IRC
communication have been 1331, 6667 and 7000, but each variant can use
whatever it chooses.
If you suspect a host has Gaobot/Polybot, you might want to nMap it (use
-p 1-65535 of course). It most likely has two or more "odd" ports open.
If you telnet to those odd ports, and one of the following happens,
changes are good that you have 'bot:
1. If it replies "220 Welcome to Bot FTP Service", you have Gaobot
2. If it replies "220 Bot Server (Win32)", you have Polybot
3. If it throws a ton of garbage at you, you probably have Gaobot. Try
other ports to see if any match #1 or #2 above.
If you use netcat to connect to the port that causes #3 to happen, and
pipe the output to a file, you will have a copy of the binary with four
extra bytes at the front of it. If you delete the first four bytes in a
hex editor and save it, you should have an actual copy of the virus
binary. However, modern Polybot variants no longer send themselves
automatically upon connection, so this won't always work for you.
Good luck out there,
OIT Security and Assurance
University of Minnesota
More information about the unisog