W32.HLLW.Gaobot.RQ

1. Creates the mutex, "unitbots," so that only one instance of the worm runs.
   
   
2. Copies itself as %System%\Winicfg32.exe.
   
   
3. Adds the value:
   
   "configuration loader"="winicfg32.exe"
   
   to these registry keys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
   RunServices
   
   
4. Randomly calculates IP addresses of the infection target and attempts to connect to the infection target at port 445.
   
   
5. Once the connection is established, it uses user accounts found with the API call NetUserEnum, and a predefined set of common weak passwords to log on to the infection target. Once authenticated, the worm will copy itself to the following locations:
   
   \\<autheticated IP>\c$\zxpayxz.exe
   \\<autheticated IP>\c$\winnt\system32\zxpayxz.exe
   \\<autheticated IP>\Admin$\system32\zxpayxz.exe
   
   The passwords that it uses are:
   
   12346
   123467
   1234678
   12346789
   123467890
   access
   accounting
   accounts
   admin
   administrator
   backup
   barbara
   blank
   brian
   bruce
   capitol
   changeme
   cisco
   compaq
   control
   database
   databasepass
   databasepassword
   db1234
   dbpass
   dbpassword
   default
   domain
   domainpass
   domainpassword
   exchange
   exchnge
   frank
   freddy
   george
   guest
   headoffice
   heaven
   homeuser
   internet
   intranet
   katie
   login
   loginpass
   nokia
   oeminstall
   oemuser
   office
   orange
   outlook
   pass1234
   passwd
   password
   password1
   peter
   qwerty
   server
   siemens
   spencer
   sqlpass
   staff
   student
   student1
   susan
   system
   teacher
   technical
   turnip
   user1
   userpassword
   win2000
   win2k
   win98
   windows
   winnt
   winpass
   winxp
   yellow
   
   
6. Launches a threat that carries backdoor functions, which include:
   • Denial of Service (DoS) attack using SYN flood
   • Port redirect
   • Download and execute files
   • Port scan
   • Steal system and personal information
   • Stop threads
     
     
7. Steals CD keys for the following games:
   • Command & Conquer Generals
   • Found FIFA 2003
   • Need For Speed Hot Pursuit 2
   • Call of Duty
   • Soldier of Fortune II - Double Helix
   • Neverwinter
   • Rainbow Six III RavenShield
   • RAVENSHIELD
   • Battlefield 1942 Road To Rome
   • Battlefield 1942 The Road to Rome
   • Project IGI 2
   • Counter-Strike
   • Unreal Tournament 2003
   • Half-Life

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.