New variant of Gaobot?

Brian Eckman eckman at
Tue Dec 9 22:11:10 GMT 2003

What appears to be a new variant of Gaobot (KAV "Agobot") is making its 
way through our University and others. Infected machines are seen 
scanning hosts on 135/tcp and 445/tcp, presumedly looking to spread 
itself. A co-worker downed quite a few of them over the past few days.

The one machine I've been looking at this afternoon has the following 
characteristics (yours may vary):

1. It is connected to an IRC channel #!X!# on 
(abuse at has been notified). The server calls itself 
"". There are over 400 other clients on this IRC server, 
presumedly all on that channel (protected by a key that I do not have yet).

2. It is scanning hosts on 135/tcp and 445/tcp. I have not seen the 
payload that occurs when a successful TCP conversation is initiated nor 
do I expect to ever be able to :-)

3. It has an FTP server listening on 14899/tcp. Telnet to that port and 
you see
220 "Welcome to Bot FTP service."   (including quotes)

Keep pressing enter to see more statements. It makes it appear that FTP 
is the transport method. (Port might be random)

4. It is, of course, Windows.

Look for hosts talking IRC to that IP address listed. I saw a number of 
EDUs that had computers connected to that channel...

I have not gotten my hands on the software that is causing this. I just 
wanted to send out an *early* warning for folks to start looking for 
this behavior. As I mentioned, I saw several Universities that were 
connecting to the IRC channel in question.

At this point, I am assuming that the IRC traffic, FTP server and port 
scanning are all associated with the same malware. I do not have 
evidence to prove it yet. Based on the look of the IRC server, it 
doesn't look what I would call "friendly".

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list