w32.HLLW.Gaobot.gen

Discussion in 'QnA (read only)' started by asabdulrahim, Oct 27, 2004.

Thread Status:
Not open for further replies.
  1. asabdulrahim

    asabdulrahim New Member

    Joined:
    Oct 24, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    My system was attacked by a virus w32.HLLW.Gaobot.gen Though Iwas able to quarantine using Norton Antivirus still it is not able to LiveUpdate nor am I able to visit the Symantec site to update! What could be the problem?
     
  2. IG

    IG New Member

    Joined:
    Mar 17, 2004
    Messages:
    188
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Chennai
  3. ice

    ice New Member

    Joined:
    Dec 28, 2003
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Mumbai
    Hmm , since he said he couldnt access the symantec site,

    Ill post the stuff i feel is needed

    Note: Virus definitions, version 60227t (extended version 2/27/2004 rev. 20) and later, detect the threat known as Phatbot as W32.HLLW.Gaobot.gen.

    What it Does

    A worm from the W32.HLLW.Gaobot.gen family generally does the following:

    1. Copies itself to the %System% folder. The file names vary and are often selected to resemble the names of legitimate Windows system files. Some examples include Csrrs.exe, Scvhost.exe, System.exe, explored.exe, or lms.exe.

    However, many other file names have been seen. The attacker can program the file names and the actions that the worm performs.

    Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    2. Adds a value in the form:

    "<key name>" = "<the filename of the worm>"

    for example:
    * "Configuration Loader" = "Service.exe"
    * "Windows Login" = "lms.exe"

    to the registry keys:
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices

    so that the worm runs when you start Windows.

    3. May create a service for the worm and set it to automatically run on startup. To do this, the worm creates a registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>

    Note: Typical values for <service name> are x4, a3, or MpR. However, the name can be configured to be any value.
    4. Connects to an IRC server, using its own IRC client, and then listens for commands to do any of the following:
    * Download and execute files
    * Steal system information
    * Send the worm to other IRC users
    * Add new accounts
    * Perform Denial of Service (DoS) attacks

    5. Attempts to spread to other computers using numerous vulnerabilities. These could include:
    * The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
    * The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
    * The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
    * The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
    * The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
    * The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
    * The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
    * The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445.
    * The backdoor ports that the Beagle and Mydoom families of worm open.

    6. Attempts to connect to network shares. To do this, it uses easily guessed user name/password combinations, including empty passwords.

    Some examples of this are:
    * admin$
    * c$
    * d$
    * e$
    * print$


    Read the W32.HLLW.Gaobot.AA writeup for a sample list of user names and passwords.

    7. Copies itself to any computers that it compromised using the previously mentioned exploits.

    8. Remotely schedules a task to run the worm on a newly infected computer.

    9. Queries the registry to steal the CD keys of various games.

    10. Terminates antivirus and firewall software, as well as the process names associated with other worms.

    11. Recent Gaobot variants may add entries to the %System%\drivers\etc\hosts file to disable access to certain antivirus Web sites.

    Refer to the W32.Gaobot.ZW writeup for a typical list of entries that may be added to the Hosts file.


    Recommendations
    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.



    Removal Instructions
    efore you begin:
    If you are running Windows NT/2000/XP, make sure that you do, or have done, the following:

    * Create a secure password. This threat takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.)
    * Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026.
    * Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007.
    * Patch the Workstation service buffer overrun vulnerability as described in Microsoft Security Bulletin MS03-049.
    * Patch the Microsoft Messenger Service Buffer Overrun Vulnerability as described in Microsoft Security Bulletin MS03-043.
    * Patch the Locator service vulnerability as described in Microsoft Security Bulletin MS03-001.
    * Patch the UPnP vulnerability as described in Microsoft Security Bulletin MS01-059.
    * Patch the vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit as described in Microsoft Security Bulletin MS02-061.
    * Patch the LSASS vulnerability as described in Microsoft Security Bulletin MS04-011.

    Removal using the Removal Tool
    Symantec Security Response has developed a removal tool to clean the infections of W32.HLLW.Gaobot.gen. The removal tool will remove many but not all variants that are detected as W32.HLLW.Gaobot.gen.

    If the removal tool cannot remove the variant that has infected your computer, follow the instructions in the next section.

    Here is the tool - uploaded to my webspace
    Code:
    http://www.freewebs.com/freak_jock/FxGaobot.exe
    What the tool does

    The W32.Gaobot Removal Tool does the following:

    1. Terminates the W32.Gaobot viral processes and services.
    2. Deletes the W32.Gaobot files.
    3. Deletes the dropped files.
    4. Deletes the registry values that the worm added.
    5. Modifies the hosts file by removing invalid entries which prevent access to various antivirus related websites.
    1. Download the FxGaobot.exe file from:

    http://securityresponse.symantec.com/avcenter/FxGaobot.exe

    2. Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media known to be uninfected, if possible).
    3. To check the authenticity of the digital signature, refer to the section, "Digital signature."
    4. Close all the running programs before running the tool.
    5. If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
    6. If you are running Windows Me or XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.

    CAUTION: If you are running Windows Me/XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows Me/XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.
    7. Double-click the FxGaobot.exe file to start the removal tool.
    8. Click Start to begin the process, and then allow the tool to run.

    Note: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and then wait 30 seconds. Restart the computer in Safe mode and run the tool again.

    All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on restarting the computer in Safe mode, read the document, "How to start the computer in Safe Mode."
    9. Restart the computer.
    10. Run the removal tool again to ensure that the system is clean.
    11. If you are running Windows Me/XP, then re-enable System Restore.
    12. Run LiveUpdate to make sure that you are using the most current virus definitions.


    When the tool has finished running, you will see a message indicating whether W32.Gaobot infected the computer. In the case of a worm removal, the program displays the following results:

    * Total number of the scanned files
    * Number of deleted files
    * Number of terminated viral processes
    * Number of fixed registry entries
    * Stopped and deleted viral processes and services



    That should work, if it doesnt, then get back to me, il wirte the mannual method
     
  4. ice

    ice New Member

    Joined:
    Dec 28, 2003
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Mumbai
Thread Status:
Not open for further replies.

Share This Page