[unisog] Virus?

Russell Kaiser rkaiser at gwm.sc.edu
Tue Feb 17 01:41:52 GMT 2004


W32/GaoBot is one worm that will kill the registry editor, antivirus
software, etc.. and is pretty active.  It will also use the RPC DCOM
vulnerability on TCP port 135 to spread.  The most recent time I saw it,
it dropped itself in the following two files with file size of 269,429
detectable by McAfee:

C:\windows\system32\sndman.exe
C:\windows\system32\winhlpp32.exe

Symantec though shows lots of different variants dropping itself in lots
of locations so no guarantees on where it will be located or file size. 
This link mentions some of the processes it will try to kill, methods of
infection, etc.. for one variant.

http://www.sarc.com/avcenter/venc/data/w32.hllw.gaobot.fl.html

The infected hosts I've seen tend to all talk outbound to an IRC server.
 The last time I saw GaoBot hosts they were talking outbound on TCP port
5999 to an IRC server, but I believe it just depends on what the person
who implemented it decides to use for a port number.



Russell Kaiser
Network Security Engineer
Computer Services
University of South Carolina
Phone: (803)777-4685  Email: kaiser at sc.edu

>>> "Jeff Nagel" <jnagel at wlc.edu> 02/16/04 19:14 PM >>>
We've recently begun to see some machines with Blaster-like activity
such as
the RPC message and then the machines reboots itself.  Virus protection
seems to get disabled and when you try to do LiveUpdate it closes. 
Another
symptom is when you try to go into the registry is closes on you.  The
machines also are showing outbound traffic on port 135.
 
Any ideas?
 
Jeff Nagel, MCP
Network Support Specialist
Wisconsin Lutheran College
 



More information about the unisog mailing list