Educause Security Discussion mailing list archives

Re: Gaobot

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Mon, 8 Dec 2003 13:00:09 -0500

On Dec 4, 2003, at 2:44 PM, Walsh, Brian R. (Information Services) wrote:

Is anyone else getting hit with the Gaobot worm? We're having a moderate outbreak on PCs that don't have the latest Windows updates.

Brian Walsh
Information Security Officer

Brian -

You note prodded us into looking very carefully.
We noticed a reasonable size Gaobot (W32.HLLW.Gaobot.gen) worm infection on Friday (12/5).
We believe the PCs were infected earlier (on 12/3 and 4):

Most of the computers were detected were :
* Communicating with <DELETED>.edu hosts which were running rogue IRC servers at TCP port 8040.
( <DELETED> is a southern US public university which has been notified...). The IRC Chat Channel
logged into on the remote rogue servers was #skan (we also found a few computers here listening at TCP port 8040).
* Listening at TCP port 34234. No useful text banner returned upon connecting to it with telnet.
* Usually listening at TCP port 113 ( to facilitate easy connections to IRC servers we presume).
* Listening on at least one random dynamic port ( > 2049). Connecting to this port returns garbage
which appears to be an executable:
?MZ???@??? ?!?L?!This program cannot be run in DOS mode.
.... ?RichbA!?PELb????
?? @ Tcode@?text? ?@?rsrc?@?1.24?ѥ? ...
" A PC examined had the following files associated with the worm in <x-tad-bigger>%System% (some in
\Windows\System32, some in \Windows\System):
ao.exe, filename.exe and filename.exe.poly (60Kb each)
(both </x-tad-bigger><x-tad-bigger>filename.exe and filename.exe.poly were ID'ed as containing </x-tad-bigger>W32.HLLW.Gaobot.gen)<x-tad-bigger>
r.bat (1Kb)
EDU-EXE-3335EE7F.pf (9Kb)
That machine appears to have been a fresh vanilla Windows XP Pro install with no updates (it also
had MSBlast running on it).
It is not known why Norton A/V didn't detect/deflect the worm infection on the PC (likely either Norton
wasn't active, update or the worm disabled it -- Gaobot disables a number of security software packages:
anti-virus, firewall, etc.).

- H. Morrow Long
Dir. InfoSec
Yale Univ., ITS
</x-tad-bigger>

Attachment: smime.p7s
Description:

Current thread:

Gaobot Walsh, Brian R. (Information Services) (Dec 04)
- <Possible follow-ups>
- Re: Gaobot H. Morrow Long (Dec 08)