W32.HLLW.Gaobot.AF

W32.HLLW.Gaobot.AF is a minor variant of W32.HLLW.Gaobot.AA and W32.HLLW.Gaobot.AE. It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

The worm uses multiple vulnerabilities, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. Using this exploit, the worm specifically targets Windows XP computers.
• The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
  
  W32.HLLW.Gaobot.AF is compressed with UPX.
  
  

  ---

  Note: Virus definitions dated prior to September 17, 2003 may detect this threat as W32.HLLW.Gaobot.AA.

  ---

  
  

Protection

• Initial Rapid Release version September 17, 2003
• Latest Rapid Release version August 20, 2008 revision 017
• Initial Daily Certified version September 17, 2003
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date September 17, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Medium