1. /
  2. Security Response/
  3. W32.HLLW.Gaobot

W32.HLLW.Gaobot

Risk Level 2: Low

Discovered:
October 22, 2002
Updated:
February 13, 2007 11:56:04 AM
Also Known As:
W32/Gaobot.worm [McAfee], WORM_GAOBOT
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Upon execution, W32.HLLW.Gaobot performs the following actions:

It copies itself as %system%\Sysldr32.exe.

NOTE: This %system% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The worm adds the value:

"Config Loader"="%system%\sysldr32.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs each time that you start Windows.


It may add the value:

"[Default]"="regfile"

to the registry key:

HKEY_CLASSES_ROOT\.Key

The worm connects to an IRC server on one of these ports:
  • 6667
  • 9900
and joins a specified channel where it will listen for commands.

Actions as a result of commands
Some of the commands that the worm supports, and the actions that it can take as the result of these commands, are described in this section.

One command causes the worm to attempt to copy itself to all computers on the network by downloading the program Psexec.exe. This program is a utility that can start services on a remote computer using Server Message Block Protocol (SMB). (This might account for more activity on port 445). This function also attempts to guess the remote computer's user name and password. It also creates the Woinggg.bat file in the \System folder of the infected computer. This .bat file attempts to connect to the remote computer by using multiple net use commands with different use names and simple passwords. Once it has completed, the worm attempts to use the Psexec.exe utility to copy and then run a copy of the worm on the remote computer as Woinggg.exe.

Another command causes the worm to read the shared folder for Kazaa, Bearshare, and Grokster, and to copy a file with a file name constructed as follows:

It chooses a name from this list:
  • Kylie Minogue
  • Shakira
  • Christina Aguilera
  • Britney Spears
  • Michelle Behennah
  • Kate Moss
  • Helena Christensen
  • Emma Sjoberg
  • Stacey Keibler
  • Karina Lombard
  • Kylie Bax
  • Cameron Diaz
  • Lexa Doig
  • Belinda Chapple
  • Alessandra Ambrosia
  • Kirsten Dunst
  • Halle Berry
  • Salma Hayek
  • Charlize Theron
  • Katie Price
  • Pamela Anderson
  • Donna D'Erico
  • Ashley Judd
  • Carmen Electra
  • Jessica Alba
  • Amanda Peet
  • Sandra Bullock
  • Gillian Anderson
  • Anna Kournikova
  • Samantha Mumba
  • Chandra North
  • Kelly Hu
  • Jolene Blalock

and then inserts that name into a name chosen from this list, replacing the % with the name chosen from the first list:
  • Watch %s sucking and f*ck*ng - XXX NOTE: Name edited to remove profanity.
  • oh my, horny %s - XXX
  • %s is very horny atm - XXX
  • Instant access to %s-picture download - XXX
  • %s's webcam - cracked access - no cost - XXX
  • %s's webcam - view livecast - XXX
  • %s in bed with some guy - XXX
  • %s giving VERY good bl*wj*b XXX NOTE: Name edited to remove profanity.
  • %s getting it on with Usama Bin Laden - XXX
  • %s getting it on with George W. Bush - XXX
  • Big Boobs Part II XXX - %s
  • Spreading Wide XXX - %s
  • Huge Tits XXX - %s
  • Big Tits XXX - %s
  • b*ttf*ck*n %s - XXX NOTE: Name edited to remove profanity.
  • c*m all over %s - XXX NOTE: Name edited to remove profanity.
  • %s lesbian love - XXX NOTE: Name edited to remove profanity.
  • h4x %s's c0mput3r 4nd s3nd h3r 3m41l - mus7 d0wnl04d - 1337 h4x0r - XXX
  • %s, very good pic (must download) - XXX
  • %s getting on with it! - XXX
  • %s sucking d*ck - XXX NOTE: Name edited to remove profanity.
  • %s spreading VERY wide!! - XXX
  • Free %s celeb pics xxx playboy f*ck port huge boobs nude hardcore - XXX NOTE: Name edited to remove profanity.
  • Pictures of %s - hot pics! - XXX
  • Sexy %s nude pics xxx playboy porn pics
  • Anal Sex - %s - XXX
  • %s doing hardcore xxx
  • %s nude f*cking hardcore xxx huge boobs NOTE: Name edited to remove profanity.
  • Hardcore XXX - %s
  • Celebrity XXX - %s

This is followed either by .exe by one of the following:
  • Hoyle Card Games 2003
  • Us Open 2002
  • Hyper Rails
  • HOYLE PUZZLE GAMES 2003
  • Puzzles battles of the history
  • Snow Drop
  • Emperor Rise of the Middle Kingdom
  • Reel Deal Slots Volume II
  • AFL Live 2003
  • Squad Battles Eagles Strike
  • Earth 2150 Lost Souls
  • Midnight Outlaw Street Racing
  • Deep Fritz 7
  • Virtual Resort Spring Break
  • Divine Divinity
  • Zelenhgorm The Great Ship
  • Kango Shicyauzo
  • Action Man Destruction X
  • Blue's Clues Preschool
  • Jurassic Park Dinosaur Battles
  • Maximum G-Force Coasters
  • Empire Earth Art of Qonquest
  • Ultimate Pinball
  • Frontline Attack War over Europe
  • Bandits - Phoenix Rising
  • Taz Wanted
  • Pro Soccer Cup 2002
  • Jeopardy! 2003
  • Prisoner Of War
  • Links 2003
  • Total Club Manager 2003
  • Sniper Path of Vengeance
  • Links 2003 Championship Courses
  • Law and Order Dead on the Money
  • Ultimate Ride Disney Coaster
  • Dogs Playing Poker
  • The Sims Unleashed
  • Stronghold Crusader
  • Virtual Skipper 2
  • Combat Mission 2
  • Iron Storm Action
  • Exodus Action
  • X-Plane
  • Project Nomads
  • Bongo Boogie
  • NHL 2003
  • ParaShooter
  • Emperor
  • Virtual Sailor
  • Battlefield 1942
  • Kickoff 2002
  • Brixout XP
  • Star Wraith 3
  • Madden NFL 2003
  • BANDITS Phoenix Rising
  • Pox Puzzle
  • Starshatter v3
  • Virtual Resort
  • Conflict Desert Storm
  • Delta Force Black Hawk Down
  • Unreal Tournament 2003
  • Scarlet Waves
  • Halloween
  • No One Lives Forever 2
  • World War II
  • Iron Storm
  • The Gates
  • Asswipe
  • Fartknocker
  • High Grow
  • Ganja Farmer 2
  • Duke Nukem Forever
  • Jedi Knight 2
  • RTCW
  • Quake 3
  • Quake 2
  • Quake 1
  • Shattered Galaxy
  • Diablo 2
  • Diablo
  • Starcraft
  • Warcraft
  • Warcraft 2
  • Warcraft 3
  • NOLF2
  • UT2003

If the worm chose a name from the previous list (they are games), it then chooses one from this list and inserts the game's name in place of the %:
  • %s crack (all versions)
  • %s newest version crack
  • %s 3D Setup
  • %s - Cable Modem Playfix
  • %s - ADSL Playfix
  • %s - Unlock Everything Trainer
  • %s - Crack all versions
  • %s - Internet Play Fix
  • %s - NOCD Patch
  • %s - Tweaking utility
  • %s - Autotuning (for Newbies)
  • %s - CD Key Generator
  • %s - Newest Patch
  • %s - Character Cheat
  • %s - Map Hack
  • %s - Idem Duplicator
  • %s - Item Hack
  • %s - Multiplayer Cheat
  • %s - Unlimited Healt Trainer
  • %s - Game Trainer

This is followed by .exe.

If commanded to, the worm can also:
  • Perform a Denial of Service attack on a specified server.
  • Open/close the CD-ROM drive.
  • Post the CD-Key for the following games to an IRC channel:
    • Warcraft III
    • Soldier of Fortune II - Double Helix
    • Neverwinter Nights
    • UT2003
    • Battlefield 1942
    • Half-Life


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Douglas Knowles
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver