eckman at umn.edu
Wed Feb 18 19:35:40 GMT 2004
Jeff Nagel wrote:
> Here is what I found after spending some time with an infected machine. In
> C:\Winnt\System32 there are two files, winampa.exe and winampa.exe.poly
> which are both 226K. There is also a service installed called Win leoahder.
> In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run and
> Run Services there is a key named win leoahder. I deleted the two registry
> keys and the two files and I was able run regedit as well Norton. Not sure
> if this was a virus a worm or some spyware.
It's a new variant of Gaobot. I sent one in to Symantec today. It should
be in their definitions tomorrow.
When I deleted the two registry entries and rebooted (using a lab
machine), it put the registry entires back before the reboot occured, so
I was not able to remove it via that method. I was not able to end
process on the winampa.exe process (access denied error), and was not
able to manually stop the Service either (access denied error).
Just a note: If you nmap a machine that has Gaobot (or you suspect has
Gaobot), try telnetting to any obscure high numbered open port that you
find. Typically, a machine infected with Gaobot will have one of the
open ports throw a binary stream at you upon connecting to it. I use
netcat to connect to that port and output the stream to a file (nc -v
ip.address.here port > bot.exe). Then I open that file in a hex editor
and remove the first four bytes, and save it. That gives me a working
copy of the Gaobot worm that host is infected with.
Another random port that is opened by Gaobot will return a "220 Welcome
to the Bot FTP Service" or something just like that.
I have recently noticed that several variants of Gaobot (including the
one that you mention) were trying to access 10.0.1.128:6667. That IP
address isn't in use on our network (it might be a lookup for an old IRC
server at lar.ath.cx). Might be one way to look for more Gaobot
infections on your campus.
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog