Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First MS04-011 Worm emerges: W32/Gaobot.worm.ali


  • Please log in to reply
1 reply to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:18 PM

Posted 29 April 2004 - 06:42 AM

Symantec has also classified this first MS04-011 variant as W32.Gaobot.AFJ. The "good news" is that it is not an active threat as the dependant IRC server has been shutdown, however the "bad news" is that it provides a model for more crafting work on MS04-011 exploitable worms.

First MS04-011 Worm emerges: W32/Gaobot.worm.ali
http://vil.nai.com/vil/content/v_125006.htm
http://www.incidents.org/diary.php?date=2004-04-28
http://www.incidents.org/diary.php?date=2004-04-27

At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week.

W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)).

This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.

For maximum protection against the Gaobot family, users are recommended to:

* use the latest engine/DATs combination
* ensure the scanning of compressed files is enabled
* keep Windows systems patched by using Windows Update
* ensure weak username/passwords are not used
* run a personal desktop firewall application

The virus contains lots of remote access functionality, including:

* Create/Remove services
* Denial of service attack
* FTP/HTTP functions (upload, download files, etc)
* IRC functions
* Retrieve system information (RAM, CPU, Disk Space)
* Secure/insecure Windows shares
* Shutdown/reboot/logoff computer
* Sniffer
* Steal CD and product keys for various products
* Terminate running processes

BC AdBot (Login to Remove)

 


m

#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:18 PM

Posted 30 April 2004 - 06:04 AM

Symantec information - plus two new MS04-011 based Agobot threats emerged overnight.

W32.Gaobot.AFJ
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afj.html

W32.Gaobot.AFJ is a worm that spreads through open network shares, backdoors installed by the Beagle and Mydoom worms, and several Windows vulnerabilities including:

* DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).


W32.Gaobot.AFC
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afc.html

W32.Gaobot.AFC is a worm that spreads through open network shares and several Windows vulnerabilities including:

* The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
* The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).


W32.Gaobot.AFW
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afw.html

W32.Gaobot.AFW is a worm that spreads through open network shares and several Windows vulnerabilities including:

* The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users