rkaiser at gwm.sc.edu
Tue Feb 17 01:41:52 GMT 2004
W32/GaoBot is one worm that will kill the registry editor, antivirus
software, etc.. and is pretty active. It will also use the RPC DCOM
vulnerability on TCP port 135 to spread. The most recent time I saw it,
it dropped itself in the following two files with file size of 269,429
detectable by McAfee:
Symantec though shows lots of different variants dropping itself in lots
of locations so no guarantees on where it will be located or file size.
This link mentions some of the processes it will try to kill, methods of
infection, etc.. for one variant.
The infected hosts I've seen tend to all talk outbound to an IRC server.
The last time I saw GaoBot hosts they were talking outbound on TCP port
5999 to an IRC server, but I believe it just depends on what the person
who implemented it decides to use for a port number.
Network Security Engineer
University of South Carolina
Phone: (803)777-4685 Email: kaiser at sc.edu
>>> "Jeff Nagel" <jnagel at wlc.edu> 02/16/04 19:14 PM >>>
We've recently begun to see some machines with Blaster-like activity
the RPC message and then the machines reboots itself. Virus protection
seems to get disabled and when you try to do LiveUpdate it closes.
symptom is when you try to go into the registry is closes on you. The
machines also are showing outbound traffic on port 135.
Jeff Nagel, MCP
Network Support Specialist
Wisconsin Lutheran College
More information about the unisog