[unisog] Re: New variant of Gaobot?

Brian Eckman eckman at umn.edu
Thu Dec 11 23:14:12 GMT 2003


I finally got my hands on one of these beasts. The malware is one file; 
on the machine I investigated it was %SYSTEM%\cmd32.exe. I sent the 
offending file into Symantec for processing.

The file creates a new Service called "Windows Loader". You can't stop 
the service or kill the process (cmd32.exe). However, you can set the 
Service to disabled, and remove it from starting up in the registry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

delete the entry:
Windows Loader = C:\WINNT\System32\cmd32.exe

or C:\Windows\System32\cmd32.exe, etc.,depending on where Windows was 
installed.

You can then reboot the machine, and then delete the cmd32.exe file, and 
optionally, delete any references in the registry to it.

Brian


Jon Karl Miyake wrote:
> Just a followup to Brian's posting. We have been seeing similiarly
> infected machines on our campus.  The network signature that is being used
> locally to track infected hosts differs from the one seen by UMN.  We have
> not seen the "IRC channel #!X!# on Brag-13-11.rh.ncsu.edu" signature in
> connection with local Gaobot infected computers.  However I will
> definitely start looking for it.
> 
> 3-4 ports are normally open. Port numbering appears to be random and
> payload?/daemon ports are not in any specific order.
> 
> Port  A: 113/tcp (this port is not always open)
> Port  B: FTP Daemon with the following banner.
> 
> ------------------------------
> 220 "Welcome to Bot FTP service."
> 331 Please specify the password.
> 230 Login successful. Have fun.
> 200 Switching to Binary mode.
> 200 PORT command successful
> 150 Opening BINARY mode data connection.
> 226 Transfer complete.
> 221 Goodbye, have a good infection :).
> ------------------------------
> 
> Port C: Will output a binary file upon connection (payload?)
> Port D: Will output a binary file upon connection (payload?)
> 
> This virus will kill off regedit and anti-virus programs that are run.
> Its is likely that similiar system utilities will likewise be affected. We
> have had general success with putting the machine in safemode and then
> running a anti-virus scan or manually removing the virus. There is an
> indication from local tech support that Gaobot does not always use the
> same file-payload naming scheme.  This could be due to different variants
> being found locally or attempts by the virus to escape detection.
> 
> Given the number of variants referenced by anti-virus vendors there is
> chance that your mileage may vary.
> 
> http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html
> http://www.sophos.com/virusinfo/analyses/w32agobotaq.html
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100785
> 
> Jon Miyake
> 
> voice #: (541) 346-1635
> Computing Center Room 225
> University of Oregon
> 
> On Tue, 9 Dec 2003, Brian Eckman wrote:
> 
> 
>>OOPS - I made a mistake. The IRC server is  Brag-13-17.rh.ncsu.edu
>>
>>Sorry about that,
>>Brian
>>
>>Brian Eckman wrote:
>>
>>>What appears to be a new variant of Gaobot (KAV "Agobot") is making its
>>>way through our University and others. Infected machines are seen
>>>scanning hosts on 135/tcp and 445/tcp, presumedly looking to spread
>>>itself. A co-worker downed quite a few of them over the past few days.
>>>
>>>The one machine I've been looking at this afternoon has the following
>>>characteristics (yours may vary):
>>>
>>>1. It is connected to an IRC channel #!X!# on Brag-13-11.rh.ncsu.edu
>>>(abuse at ncsu.edu has been notified). The server calls itself
>>>"fix.owned.you". There are over 400 other clients on this IRC server,
>>>presumedly all on that channel (protected by a key that I do not have yet).
>>>
>>>2. It is scanning hosts on 135/tcp and 445/tcp. I have not seen the
>>>payload that occurs when a successful TCP conversation is initiated nor
>>>do I expect to ever be able to :-)
>>>
>>>3. It has an FTP server listening on 14899/tcp. Telnet to that port and
>>>you see
>>>220 "Welcome to Bot FTP service."   (including quotes)
>>>
>>>Keep pressing enter to see more statements. It makes it appear that FTP
>>>is the transport method. (Port might be random)
>>>
>>>4. It is, of course, Windows.
>>>
>>>Look for hosts talking IRC to that IP address listed. I saw a number of
>>>EDUs that had computers connected to that channel...
>>>
>>>I have not gotten my hands on the software that is causing this. I just
>>>wanted to send out an *early* warning for folks to start looking for
>>>this behavior. As I mentioned, I saw several Universities that were
>>>connecting to the IRC channel in question.
>>>
>>>At this point, I am assuming that the IRC traffic, FTP server and port
>>>scanning are all associated with the same malware. I do not have
>>>evidence to prove it yet. Based on the look of the IRC server, it
>>>doesn't look what I would call "friendly".
>>>
>>>Brian
>>
>>
>>--
>>Brian Eckman
>>Security Analyst
>>OIT Security and Assurance
>>University of Minnesota
>>
>>
>>"There are 10 types of people in this world. Those who
>>understand binary and those who don't."
>>
> 
> 


-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list