Gaobot

W32/Gaobot.gen.H (AKA W32.GaoBot.AFJ) updated 5/5/2003, 5:00 PM

In addition to the Sasser worm, there is another worm that has been detected in the wild and at NIH that spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

This worm spreads with the file name: Microsoft.exe

Important information from Microsoft regarding this patch is at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

A side effect of this worm is that it may cause the LSASS.exe process to crash which leads to the machine rebooting.

You may also see increased port activity on ports 1025 and 7000 from machines infected with this worm.

ISSO's and Admins can also use the Retina scanner to search for machines not patched for MS04-011.

NAI has released SuperDAT 4358 and later to detect and remove Gaobot.

Symantec detects this worm with definitions dated 5/2/2003 rev 38 and later. These definitions are available through the LiveUpdate feature of Symantec Antivirus.

Gaobot.gen.H renders Virusscan inoperable and requires that Virusscan be reinstalled. Note you will need the latest superdat for the reinstallation.

Gaobot.gen.H removal instructions:

1. Kill the Microsoft.exe process
2. Delete Microsoft.exe from c:\windows\system32
3. Remove from the registry: HKLM\Software\Microsoft\windows\currentversion\run, look for the Microsoft.exe key and HKLM\Software\Microsoft\windows\currentversion\runservice, look for Microsoft Update
4. Uninstall VirusScan.
5. Reboot
6. Install VirusScan
7. Run the latest superdat
8. Run a systems scan to scan all files.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.