Printer Friendly Page

Discovered: October 22, 2002
Updated: February 13, 2007 11:56:04 AM
Also Known As: W32/Gaobot.worm [McAfee], WORM_GAOBOT
Type: Worm
Systems Affected: Windows

W32.HLLW.Gaobot is a worm that copies itself as %system%\Sysldr32.exe.

It then connects to an IRC server and listens for commands. By default, the worm will connect on ports 6,667 and 9,900. Some of the commands that it supports include commands to spread itself, using popular file sharing programs such as Kazaa, Bearshare, and Grokster. It shares itself as some of the following file names:

  • Kylie Minogue is very horny atm - XXX.exe
  • Cameron Diaz's webcam - cracked access - no cost - XXX.exe
  • Hoyle Card Games 2003 crack (all versions).exe
  • Warcraft 3 - Cable Modem Playfix.exe
  • Delta Force Black Hawk Down - Item Hack.exe

The worm also attempts to spread to all computers on the network, using a utility that connects to a remote computer on port 445, it copies the Woinggg.exe file across the network, and then executes it.

Antivirus Protection Dates

  • Initial Rapid Release version October 22, 2002
  • Latest Rapid Release version May 07, 2019 revision 006
  • Initial Daily Certified version October 22, 2002
  • Latest Daily Certified version May 07, 2019 revision 008
  • Initial Weekly Certified release date October 23, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

Upon execution, W32.HLLW.Gaobot performs the following actions:

It copies itself as %system%\Sysldr32.exe.

NOTE: This %system% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The worm adds the value:

"Config Loader"="%system%\sysldr32.exe"

to the registry keys:


so that it runs each time that you start Windows.

It may add the value:


to the registry key:


The worm connects to an IRC server on one of these ports:

  • 6667
  • 9900
and joins a specified channel where it will listen for commands.

Actions as a result of commands
Some of the commands that the worm supports, and the actions that it can take as the result of these commands, are described in this section.

One command causes the worm to attempt to copy itself to all computers on the network by downloading the program Psexec.exe. This program is a utility that can start services on a remote computer using Server Message Block Protocol (SMB). (This might account for more activity on port 445). This function also attempts to guess the remote computer's user name and password. It also creates the Woinggg.bat file in the \System folder of the infected computer. This .bat file attempts to connect to the remote computer by using multiple net use commands with different use names and simple passwords. Once it has completed, the worm attempts to use the Psexec.exe utility to copy and then run a copy of the worm on the remote computer as Woinggg.exe.

Another command causes the worm to read the shared folder for Kazaa, Bearshare, and Grokster, and to copy a file with a file name constructed as follows:

It chooses a name from this list:
  • Kylie Minogue
  • Shakira
  • Christina Aguilera
  • Britney Spears
  • Michelle Behennah
  • Kate Moss
  • Helena Christensen
  • Emma Sjoberg
  • Stacey Keibler
  • Karina Lombard
  • Kylie Bax
  • Cameron Diaz
  • Lexa Doig
  • Belinda Chapple
  • Alessandra Ambrosia
  • Kirsten Dunst
  • Halle Berry
  • Salma Hayek
  • Charlize Theron
  • Katie Price
  • Pamela Anderson
  • Donna D'Erico
  • Ashley Judd
  • Carmen Electra
  • Jessica Alba
  • Amanda Peet
  • Sandra Bullock
  • Gillian Anderson
  • Anna Kournikova
  • Samantha Mumba
  • Chandra North
  • Kelly Hu
  • Jolene Blalock

and then inserts that name into a name chosen from this list, replacing the % with the name chosen from the first list:
  • Watch %s sucking and f*ck*ng - XXX NOTE: Name edited to remove profanity.
  • oh my, horny %s - XXX
  • %s is very horny atm - XXX
  • Instant access to %s-picture download - XXX
  • %s's webcam - cracked access - no cost - XXX
  • %s's webcam - view livecast - XXX
  • %s in bed with some guy - XXX
  • %s giving VERY good bl*wj*b XXX NOTE: Name edited to remove profanity.
  • %s getting it on with Usama Bin Laden - XXX
  • %s getting it on with George W. Bush - XXX
  • Big Boobs Part II XXX - %s
  • Spreading Wide XXX - %s
  • Huge Tits XXX - %s
  • Big Tits XXX - %s
  • b*ttf*ck*n %s - XXX NOTE: Name edited to remove profanity.
  • c*m all over %s - XXX NOTE: Name edited to remove profanity.
  • %s lesbian love - XXX NOTE: Name edited to remove profanity.
  • h4x %s's c0mput3r 4nd s3nd h3r 3m41l - mus7 d0wnl04d - 1337 h4x0r - XXX
  • %s, very good pic (must download) - XXX
  • %s getting on with it! - XXX
  • %s sucking d*ck - XXX NOTE: Name edited to remove profanity.
  • %s spreading VERY wide!! - XXX
  • Free %s celeb pics xxx playboy f*ck port huge boobs nude hardcore - XXX NOTE: Name edited to remove profanity.
  • Pictures of %s - hot pics! - XXX
  • Sexy %s nude pics xxx playboy porn pics
  • Anal Sex - %s - XXX
  • %s doing hardcore xxx
  • %s nude f*cking hardcore xxx huge boobs NOTE: Name edited to remove profanity.
  • Hardcore XXX - %s
  • Celebrity XXX - %s

This is followed either by .exe by one of the following:
  • Hoyle Card Games 2003
  • Us Open 2002
  • Hyper Rails
  • Puzzles battles of the history
  • Snow Drop
  • Emperor Rise of the Middle Kingdom
  • Reel Deal Slots Volume II
  • AFL Live 2003
  • Squad Battles Eagles Strike
  • Earth 2150 Lost Souls
  • Midnight Outlaw Street Racing
  • Deep Fritz 7
  • Virtual Resort Spring Break
  • Divine Divinity
  • Zelenhgorm The Great Ship
  • Kango Shicyauzo
  • Action Man Destruction X
  • Blue's Clues Preschool
  • Jurassic Park Dinosaur Battles
  • Maximum G-Force Coasters
  • Empire Earth Art of Qonquest
  • Ultimate Pinball
  • Frontline Attack War over Europe
  • Bandits - Phoenix Rising
  • Taz Wanted
  • Pro Soccer Cup 2002
  • Jeopardy! 2003
  • Prisoner Of War
  • Links 2003
  • Total Club Manager 2003
  • Sniper Path of Vengeance
  • Links 2003 Championship Courses
  • Law and Order Dead on the Money
  • Ultimate Ride Disney Coaster
  • Dogs Playing Poker
  • The Sims Unleashed
  • Stronghold Crusader
  • Virtual Skipper 2
  • Combat Mission 2
  • Iron Storm Action
  • Exodus Action
  • X-Plane
  • Project Nomads
  • Bongo Boogie
  • NHL 2003
  • ParaShooter
  • Emperor
  • Virtual Sailor
  • Battlefield 1942
  • Kickoff 2002
  • Brixout XP
  • Star Wraith 3
  • Madden NFL 2003
  • BANDITS Phoenix Rising
  • Pox Puzzle
  • Starshatter v3
  • Virtual Resort
  • Conflict Desert Storm
  • Delta Force Black Hawk Down
  • Unreal Tournament 2003
  • Scarlet Waves
  • Halloween
  • No One Lives Forever 2
  • World War II
  • Iron Storm
  • The Gates
  • Asswipe
  • Fartknocker
  • High Grow
  • Ganja Farmer 2
  • Duke Nukem Forever
  • Jedi Knight 2
  • RTCW
  • Quake 3
  • Quake 2
  • Quake 1
  • Shattered Galaxy
  • Diablo 2
  • Diablo
  • Starcraft
  • Warcraft
  • Warcraft 2
  • Warcraft 3
  • NOLF2
  • UT2003

If the worm chose a name from the previous list (they are games), it then chooses one from this list and inserts the game's name in place of the %:
  • %s crack (all versions)
  • %s newest version crack
  • %s 3D Setup
  • %s - Cable Modem Playfix
  • %s - ADSL Playfix
  • %s - Unlock Everything Trainer
  • %s - Crack all versions
  • %s - Internet Play Fix
  • %s - NOCD Patch
  • %s - Tweaking utility
  • %s - Autotuning (for Newbies)
  • %s - CD Key Generator
  • %s - Newest Patch
  • %s - Character Cheat
  • %s - Map Hack
  • %s - Idem Duplicator
  • %s - Item Hack
  • %s - Multiplayer Cheat
  • %s - Unlimited Healt Trainer
  • %s - Game Trainer

This is followed by .exe.

If commanded to, the worm can also:
  • Perform a Denial of Service attack on a specified server.
  • Open/close the CD-ROM drive.
  • Post the CD-Key for the following games to an IRC channel:
    • Warcraft III
    • Soldier of Fortune II - Double Helix
    • Neverwinter Nights
    • UT2003
    • Battlefield 1942
    • Half-Life


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Update the virus definitions.
  2. Run a full system scan, and delete all files that are detected as W32.HLLW.Gaobot.
  3. Delete the value:

    "Config Loader"="%system%\sysldr32.exe"

    from the registry keys

  4. Delete the value:


    from the registry key:

For details on how to do this, read the following instructions.

To update the virus definitions:
All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
  • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

    Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

To scan for and delete the infected files:
  1. Start your Symantec antivirus program, and make sure that it is configured to scan All Files.
  2. Run a full system scan.
  3. If any files are detected as being infected with W32.HLLW.Gaobot, click Delete.

To remove the value that the worm added to the registry:

CAUTION : Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key

  4. In the right pane, delete this value:

    "Config Loader"="%system%\sysldr32.exe"
  5. Navigate to the key

  6. In the right pane, delete this value:

    "Config Loader"="%system%\sysldr32.exe"
  7. Navigate to the key

  8. In the right pane, delete this value:

    "Config Loader"="%system%\sysldr32.exe"
  9. Navigate to the key

  10. In the right pane, delete this value:

  11. Exit the Registry Editor.

Writeup By: Douglas Knowles