W32.Gaobot.ALU

W32.Gaobot.ALU is a worm that attempts to spread through network shares that have weak passwords. It also allows attackers to access an infected computer using a predetermined IRC channel. Also, the worm attempts to kill the processes of many antivirus and security applications.

The worm uses multiple vulnerabilities to spread, including the following:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
• The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445
  Applying Microsoft Security Bulletin MS03-043 to Windows XP protects against this vulnerability. Windows 2000 users must apply MS03-049.
• The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) using TCP port 445

Protection

• Initial Rapid Release version May 20, 2004
• Latest Rapid Release version May 20, 2004
• Initial Daily Certified version May 20, 2004
• Latest Daily Certified version May 20, 2004
• Initial Weekly Certified release date May 26, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Medium