W32.Gaobot.AJE

When W32.Gaobot.AJE is executed, it performs following actions:

1. Copies itself to %System%\norton.exe.
   
   

   ---

   Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   ---

   
   
2. Adds the value:
   
   "System Service Manager"="norton.exe"
   
   to the registry keys:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   
   so that the worm runs when you start Windows.
   
   
3. Disables access to certain antivirus Web sites by adding the following lines to %System%\drivers\etc\hosts:
   
   127.0.0.1 avp.com
   127.0.0.1 ca.com
   127.0.0.1 customer.symantec.com
   127.0.0.1 dispatch.mcafee.com
   127.0.0.1 download.mcafee.com
   127.0.0.1 f-secure.com
   127.0.0.1 kaspersky.com
   127.0.0.1 liveupdate.symantec.com
   127.0.0.1 liveupdate.symantecliveupdate.com
   127.0.0.1 mast.mcafee.com
   127.0.0.1 mcafee.com
   127.0.0.1 my-etrust.com
   127.0.0.1 nai.com
   127.0.0.1 networkassociates.com
   127.0.0.1 rads.mcafee.com
   127.0.0.1 secure.nai.com
   127.0.0.1 securityresponse.symantec.com
   127.0.0.1 sophos.com
   127.0.0.1 symantec.com
   127.0.0.1 trendmicro.com
   127.0.0.1 update.symantec.com
   127.0.0.1 updates.symantec.com
   127.0.0.1 us.mcafee.com
   127.0.0.1 viruslist.com
   127.0.0.1 viruslist.com
   127.0.0.1 www.avp.com
   127.0.0.1 www.ca.com
   127.0.0.1 www.f-secure.com
   127.0.0.1 www.kaspersky.com
   127.0.0.1 www.mcafee.com
   127.0.0.1 www.my-etrust.com
   127.0.0.1 www.nai.com
   127.0.0.1 www.networkassociates.com
   127.0.0.1 www.sophos.com
   127.0.0.1 www.symantec.com
   127.0.0.1 www.trendmicro.com
   127.0.0.1 www.viruslist.com
   
   
4. Terminates the processes of antivirus and security applications, as well as other worms.
   
   
5. Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port.
   
   
6. Connects to a remote IRC server and awaits commands from the remote attacker. This allows the attacker to perform the following actions on an infected system:
   
   Kill a particular process
   List processes
   Perform HTTP, ICMP, SYN, and UDP floods
   Restart the computer
   Retrieve a list of email addresses, through HTTP
   Retrieve data from the registry
   Retrieve the email addresses stored on the computer
   Retrieve the files via FTP and HTTP
   Run commands
   Sniff HTTP, FTP, and IRC traffic
   Steal Windows product IDs, and the CD keys of various video games
   Terminate Windows services
   
   
7. Attempts to propagate to other systems using the following methods:
   
   Exploiting the DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
   Exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
   Exploiting the UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
   Exploiting the vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
   Exploiting the WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
   Exploiting the Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
   Sending itself to the backdoor ports that the Beagle and Mydoom worms open.
   
   
8. Attempts to copy itself to other computers through the following remote administrative SMB shares:
   

admin$
c
c$
d$
e$
print$

using the following user names and passwords, as well as any user names found using NetUserEnum():

User name:
a
aaa
abc
admin
Administrador
administrador
Administrateur
Administrator
administrator
admins
asdf
bill
colin
computer
Convidado
Coordinatore
database
Default
Dell
dick
erik
Gast
george
Guest
home
Inviter
jim
kanri
kanri-sha
karl
kate
kt
login
mark
mary
mgmt
mike
mypc
mysql
OEM
Ospite
OWNER
Owner
owner
patrick
pc
peter
qwer
root
server
sql
stacey
stacy
Standard
stefan
steve
steven
student
teacher
temp
Test
test
tim
tom
User
user
Verwalter
win
wwwadmin
x
xp
xyz

Password:
0
000000
00000000
007
12
23
42
69
110
111
123
666
1234
1776
1778
2002
2003
2004
2525
2600
12345
54321
111111
121212
123123
123456
654321
1234567
11111111
12345678
88888888
123456789
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
1234qwer
123abc
123asd
123qwe
ACCESS
Admin
Administrador
Administrateur
ADMINISTRATOR
ASP
BACKUP
BOX
Box
CNN
Coordinatore
Default
Internet
LOCAL
Login
Ospite
PASSWD
Password
PHP
ROOT
SERVER
SYSTEM
Tcran
TEMP
Tennessee
TEST
Texas
UNIX
Verwalter
Washington
West

9. Copies itself to any shares that it successfully authenticates to, and schedules a network job to run the worm on the remote system.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary