McAfee Thursday issued an alert for W32/Gaobot.worm.ali, with the warning that there are more than 900 variants of the Gaobot virus in existence.

The source code for Gaobot was posted to various web sites resulting in many new variants being created each week, the vendor reported.

W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)). This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.

For maximum protection against the Gaobot family, users are recommended to:

  • use the latest engine/DATs combination
  • ensure the scanning of compressed files is enabled
  • keep Windows systems patched by using Windows Update
  • ensure weak username/passwords are not used
  • run a personal desktop firewall application

    The virus contains lots of remote access functionality, including:

  • Create/Remove services
  • Denial of service attack
  • FTP/HTTP functions (upload, download files, etc)
  • IRC functions
  • Retrieve system information (RAM, CPU, Disk Space)
  • Secure/insecure Windows shares
  • Shutdown/reboot/logoff computer Sniffer
  • Steal CD and product keys for various products
  • Terminate running processes

    • More information is at this McAfee page.

    Meanwhile, Sophos issued alerts Thursday for three different variants of the Agobot virus. The first, W32/Agobot-GZ, is an IRC backdoor Trojan and network worm.

    W32/Agobot-GZ is capable of spreading to computers on the local network protected by weak passwords.

    When first run, W32/Agobot-GZ copies itself to the Windows system folder as svnhost.exe and creates the following registry entries to run itself on startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Microsoft Update Event = svnhost.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Microsoft Update Event = svnhost.exe

    The Trojan runs continuously in the background providing backdoor access to the computer.

    The Trojan attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at:
    %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus web sites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically certain mappings will be appended to the HOSTS file. View the mappings and other information at this Sophos page.

    W32/Agobot-PV is an IRC backdoor Trojan and network worm that is capable of spreading to computers on the local network protected by weak passwords.

    When first run, W32/Agobot-PV moves itself to the Windows system folder as pb.exe and creates the following registry entries to run itself on startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    WSAConfiguration = pb.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
    WSAConfiguration = pb.exe

    Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.

    The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

    More information is at this Sophos page.

    W32/Agobot-NA is a backdoor Trojan and worm that spreads to computers protected by weak passwords.

    When first run, W32/Agobot-NA copies itself to the Windows system folder as wmiprvsw.exe and creates the following registry entries to run itself on startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    System Updater Service = wmiprvsw.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
    System Updater Service = wmiprvsw.exe

    The worm runs continuously in the background providing backdoor access to the computer. W32/Agobot-NA attempts to terminate and disable various anti-virus and security-related programs. The worm also modifies the HOSTS file located at:
    %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus web sites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically certain mappings will be appended to the HOSTS file. View them and other information at this Sophos page.

    And Trend Micro issued an alert for Worm_Agobot.HA, a worm that propagates via network shares. It uses the NetBEUI functions to get available lists of user names and passwords. It lists down the available network shares and uses the gathered user names and passwords to access the shares.

    It also tries to access the shares using a predefined list of user names and passwords. This malware also scans the network for systems vulnerable to the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator vulnerability

    • For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

    Microsoft Security Bulletin MS03-026
    Microsoft Security Bulletin MS03-001
    Microsoft Security Bulletin MS03-007

    Worm_Agobot.HA also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and steals the CD keys, serial numbers, and product IDs of certain applications.

    View technical details at this Trend Micro page.

    --Compiled by Esther Shein