Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- April 27, 2004
- Updated:
- February 13, 2007 12:22:15 PM
- Also Known As:
- Backdoor.Agobot.gen [Kaspersky, WORM_AGOBOT.JF [Trend], WORM_AGOBOT.JO [Trend]
- Type:
- Worm
- Systems Affected:
- Windows 2000, Windows NT, Windows XP
W32.Gaobot.AFJ is a worm that spreads through open network shares, backdoors that the Beagle and Mydoom worms install, and several Windows vulnerabilities, including:
- DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
- Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
- Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
A variant discovered on May 12, 2004 attempts to spread using W32.Sasser.Worm. It does this by injecting code into the "avserve.exe" process, so that when the Sasser worm attempts to propagate, it sends Gaobot to the remote system instead of Sasser. This variant creates a file named "wormride.dll" in the System directory.
Antivirus Protection Dates
- Initial Rapid Release version April 28, 2004
- Latest Rapid Release version March 8, 2011 revision 004
- Initial Daily Certified version April 28, 2004
- Latest Daily Certified version March 8, 2011 revision 020
- Initial Weekly Certified release date April 28, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 50 - 999
- Number of Sites: More than 10
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Moderate
Damage
- Damage Level: Medium
Distribution
- Distribution Level: Medium
Writeup By: Kaoru Hayashi
