W32.Gaobot.DXO is a network-aware worm with back door capabilities that can be controlled through IRC channels and spreads to network shares protected by weak passwords. It also attempts to lower security settings by ending processes.
When W32.Gaobot.DXO is executed, it performs the following actions:
1. Creates the mutex named "Ruff" so that only one copy of the worm runs on the compromised computer.
2. Copies itself as %System%\ssmss.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Adds the value:
"IE6" = "ssmss.exe"
to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
so that it executes every time Windows starts.
4. Sets the value:
"EnableDCOM" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINE\Microsoft\OLE
to disable DCOM.
5. Sets the value:
"restrictanonymous" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
to modify access to network shares.
6. Monitors the above registry entries and resets them if they are modified.
7. Attempts to delete the following shared folders:
* IPC$
* ADMIN$
* C$
* D$
8. Opens a back door on the compromised computer to 202.67.151.150 on TCP port 8066, to allow a remote attacker to have unauthorized access.
9. Disables various antivirus and security-related programs. It attempts to end processes with the following names:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* F-AGOBOT.EXE
* HIJACKTHIS.EXE
* _AVPM.EXE
* _AVPCC.EXE
* _AVP32.EXE
* ZONEALARM.EXE
* ZONALM2601.EXE
* ZATUTOR.EXE
* ZAPSETUP3001.EXE
* ZAPRO.EXE
* XPF202EN.EXE
* WYVERNWORKSFIREWALL.EXE
* WUPDT.EXE
* WUPDATER.EXE
* WSBGATE.EXE
* WRCTRL.EXE
* WRADMIN.EXE
* WNT.EXE
* WNAD.EXE
* WKUFIND.EXE
* WINUPDATE.EXE
* WINTSK32.EXE
* WINSTART001.EXE
* WINSTART.EXE
* WINSSK32.EXE
* WINSERVN.EXE
* WINRECON.EXE
* WINPPR32.EXE
* WINNET.EXE
* WINMAIN.EXE
* WINLOGIN.EXE
* WININITX.EXE
* WININIT.EXE
* WININETD.EXE
* WINDOWS.EXE
* WINDOW.EXE
* WINACTIVE.EXE
* WIN32US.EXE
* WIN32.EXE
* WIN-BUGSFIX.EXE
* WIMMUN32.EXE
* WHOSWATCHINGME.EXE
* WGFE95.EXE
* WFINDV32.EXE
* WEBTRAP.EXE
* WEBSCANX.EXE
* WEBDAV.EXE
* WATCHDOG.EXE
* W9X.EXE
* W32DSM89.EXE
* VSWINPERSE.EXE
* VSWINNTSE.EXE
* VSWIN9XE.EXE
* VSSTAT.EXE
* VSMON.EXE
* VSMAIN.EXE
* VSISETUP.EXE
* VSHWIN32.EXE
* VSECOMR.EXE
* VSCHED.EXE
* VSCENU6.02D30.EXE
* VSCAN40.EXE
* VPTRAY.EXE
* VPFW30S.EXE
* VPC42.EXE
* VPC32.EXE
* VNPC3000.EXE
* VNLAN300.EXE
* VIRUSMDPERSONALFIREWALL.EXE
* VIR-HELP.EXE
* VFSETUP.EXE
* VETTRAY.EXE
* VET95.EXE
* VET32.EXE
* VCSETUP.EXE
* VBWINNTW.EXE
* VBWIN9X.EXE
* VBUST.EXE
* VBCONS.EXE
* VBCMSERV.EXE
* UTPOST.EXE
* UPGRAD.EXE
* UPDATE.EXE
* UPDAT.EXE
* UNDOBOOT.EXE
* TVTMD.EXE
* TVMD.EXE
* TSADBOT.EXE
* TROJANTRAP3.EXE
* TRJSETUP.EXE
* TRJSCAN.EXE
* TRICKLER.EXE
* TRACERT.EXE
* TITANINXP.EXE
* TITANIN.EXE
* TGBOB.EXE
* TFAK5.EXE
* TFAK.EXE
* TEEKIDS.EXE
* TDS2-NT.EXE
* TDS2-98.EXE
* TDS-3.EXE
* TCM.EXE
* TCA.EXE
* TC.EXE
* TBSCAN.EXE
* TAUMON.EXE
* TASKMON.EXE
* TASKMO.EXE
* TASKMG.EXE
* SYSUPD.EXE
* SYSTEM32.EXE
* SYSTEM.EXE
* SYSEDIT.EXE
* SYMTRAY.EXE
* SYMPROXYSVC.EXE
* SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
* SWEEP95.EXE
* SVSHOST.EXE
* SVCHOSTS.EXE
* SVCHOSTC.EXE
* SVC.EXE
* SUPPORTER5.EXE
* SUPPORT.EXE
* SUPFTRL.EXE
* STCLOADER.EXE
* START.EXE
* ST2.EXE
* SSG_4104.EXE
* SSGRATE.EXE
* SS3EDIT.EXE
* SRNG.EXE
* SREXE.EXE
* SPYXX.EXE
* SPOOLSV32.EXE
* SPOOLCV.EXE
* SPOLER.EXE
* SPHINX.EXE
* SPF.EXE
* SPERM.EXE
* SOFI.EXE
* SOAP.EXE
* SMSS32.EXE
* SMS.EXE
* SMC.EXE
* SHOWBEHIND.EXE
* SHN.EXE
* SHELLSPYINSTALL.EXE
* SH.EXE
* SGSSFW32.EXE
* SFC.EXE
* SETUP_FLOWPROTECTOR_US.EXE
* SETUPVAMEEVAL.EXE
* SERVLCES.EXE
* SERVLCE.EXE
* SERVICE.EXE
* SERV95.EXE
* SD.EXE
* SCVHOST.EXE
* SCRSVR.EXE
* SCRSCAN.EXE
* SCANPM.EXE
* SCAN95.EXE
* SCAN32.EXE
* SCAM32.EXE
* SC.EXE
* SBSERV.EXE
* SAVENOW.EXE
* SAVE.EXE
* SAHAGENT.EXE
* SAFEWEB.EXE
* RUXDLL32.EXE
* RUNDLL16.EXE
* RUNDLL.EXE
* RUN32DLL.EXE
* RULAUNCH.EXE
* RTVSCN95.EXE
* RTVSCAN.EXE
* RSHELL.EXE
* RRGUARD.EXE
* RESCUE32.EXE
* RESCUE.EXE
* REGEDT32.EXE
* REGEDIT.EXE
* REGED.EXE
* REALMON.EXE
* RCSYNC.EXE
* RB32.EXE
* RAY.EXE
* RAV8WIN32ENG.EXE
* RAV7WIN.EXE
* RAV7.EXE
* RAPAPP.EXE
* QSERVER.EXE
* QCONSOLE.EXE
* PVIEW95.EXE
* PUSSY.EXE
* PURGE.EXE
* PSPF.EXE
* PROTECTX.EXE
* PROPORT.EXE
* PROGRAMAUDITOR.EXE
* PROCEXPLORERV1.0.EXE
* PROCESSMONITOR.EXE
* PROCDUMP.EXE
* PRMVR.EXE
* PRMT.EXE
* PRIZESURFER.EXE
* PPVSTOP.EXE
* PPTBC.EXE
* PPINUPDT.EXE
* POWERSCAN.EXE
* PORTMONITOR.EXE
* PORTDETECTIVE.EXE
* POPSCAN.EXE
* POPROXY.EXE
* POP3TRAP.EXE
* PLATIN.EXE
* PINGSCAN.EXE
* PGMONITR.EXE
* PFWADMIN.EXE
* PF2.EXE
* PERSWF.EXE
* PERSFW.EXE
* PERISCOPE.EXE
* PENIS.EXE
* PDSETUP.EXE
* PCSCAN.EXE
* PCIP10117_0.EXE
* PCFWALLICON.EXE
* PCDSETUP.EXE
* PCCWIN98.EXE
* PCCWIN97.EXE
* PCCNTMON.EXE
* PCCIOMON.EXE
* PCC2K_76_1436.EXE
* PCC2002S902.EXE
* PAVW.EXE
* PAVSCHED.EXE
* PAVPROXY.EXE
* PAVCL.EXE
* PATCH.EXE
* PANIXK.EXE
* PADMIN.EXE
* OUTPOSTPROINSTALL.EXE
* OUTPOSTINSTALL.EXE
* OUTPOST.EXE
* OTFIX.EXE
* OSTRONET.EXE
* OPTIMIZE.EXE
* ONSRVR.EXE
* OLLYDBG.EXE
* NWTOOL16.EXE
* NWSERVICE.EXE
* NWINST4.EXE
* NVSVC32.EXE
* NVC95.EXE
* NVARCH16.EXE
* NUPGRADE.EXE
* NUI.EXE
* NTXconfig.EXE
* NTVDM.EXE
* NTRTSCAN.EXE
* NT.EXE
* NSUPDATE.EXE
* NSTASK32.EXE
* NSSYS32.EXE
* NSCHED32.EXE
* NPSSVC.EXE
* NPSCHECK.EXE
* NPROTECT.EXE
* NPFMESSENGER.EXE
* NPF40_TW_98_NT_ME_2K.EXE
* NOTSTART.EXE
* NORTON_INTERNET_SECU_3.0_407.EXE
* NORMIST.EXE
* NOD32.EXE
* NMAIN.EXE
* NISUM.EXE
* NISSERV.EXE
* NETUTILS.EXE
* NETSTAT.EXE
* NETSPYHUNTER-1.2.EXE
* NETSCANPRO.EXE
* NETMON.EXE
* NETINFO.EXE
* NETD32.EXE
* NETARMOR.EXE
* NEOWATCHLOG.EXE
* NEOMONITOR.EXE
* NDD32.EXE
* NCINST4.EXE
* NC2000.EXE
* NAVWNT.EXE
* NAVW32.EXE
* NAVSTUB.EXE
* NAVNT.EXE
* NAVLU32.EXE
* NAVENGNAVEX15.NAVLU32.EXE
* NAVDX.EXE
* NAVAPW32.EXE
* NAVAPSVC.EXE
* NAVAP.NAVAPSVC.EXE
* AUTO-PROTECT.NAV80TRY.EXE
* NAV.EXE
* N32SCANW.EXE
* MWATCH.EXE
* MU0311AD.EXE
* MSVXD.EXE
* MSSYS.EXE
* MSSMMC32.EXE
* MSMSGRI32.EXE
* MSMGT.EXE
* MSLAUGH.EXE
* MSINFO32.EXE
* MSIEXEC16.EXE
* MSDOS.EXE
* MSDM.EXE
* MSCONFIG.EXE
* MSCMAN.EXE
* MSCCN32.EXE
* MSCACHE.EXE
* MSBLAST.EXE
* MSBB.EXE
* MSAPP.EXE
* MRFLUX.EXE
* MPFTRAY.EXE
* MPFSERVICE.EXE
* MPFAGENT.EXE
* MOSTAT.EXE
* MOOLIVE.EXE
* MONITOR.EXE
* MMOD.EXE
* MINILOG.EXE
* MGUI.EXE
* MGHTML.EXE
* MGAVRTE.EXE
* MGAVRTCL.EXE
* MFWENG3.02D30.EXE
* MFW2EN.EXE
* MFIN32.EXE
* MD.EXE
* MCVSSHLD.EXE
* MCVSRTE.EXE
* MCUPDATE.EXE
* MCTOOL.EXE
* MCSHIELD.EXE
* MCMNHDLR.EXE
* MCAGENT.EXE
* MAPISVC32.EXE
* LUSPT.EXE
* LUINIT.EXE
* LUCOMSERVER.EXE
* LUAU.EXE
* LUALL.EXE
* LSETUP.EXE
* LORDPE.EXE
* LOOKOUT.EXE
* LOCKDOWN2000.EXE
* LOCKDOWN.EXE
* LOCALNET.EXE
* LOADER.EXE
* LNETINFO.EXE
* LDSCAN.EXE
* LDPROMENU.EXE
* LDPRO.EXE
* LDNETMON.EXE
* LAUNCHER.EXE
* KILLPROCESSSETUP161.EXE
* KERNEL32.EXE
* KERIO-WRP-421-EN-WIN.EXE
* KERIO-WRL-421-EN-WIN.EXE
* KERIO-PF-213-EN-WIN.EXE
* KEENVALUE.EXE
* KAZZA.EXE
* KAVPF.EXE
* KAVPERS40ENG.EXE
* KAVLITE40ENG.EXE
* JEDI.EXE
* JDBGMRG.EXE
* JAMMER.EXE
* ISTSVC.EXE
* ISRV95.EXE
* ISASS.EXE
* IRIS.EXE
* IPARMOR.EXE
* IOMON98.EXE
* INTREN.EXE
* INTDEL.EXE
* INIT.EXE
* INFWIN.EXE
* INFUS.EXE
* INETLNFO.EXE
* IFW2000.EXE
* IFACE.EXE
* IEXPLORER.EXE
* IEDRIVER.EXE
* IEDLL.EXE
* IDLE.EXE
* ICSUPPNT.EXE
* ICSUPP95.EXE
* ICMON.EXE
* ICLOADNT.EXE
* ICLOAD95.EXE
* IBMAVSP.EXE
* IBMASN.EXE
* IAMSTATS.EXE
* IAMSERV.EXE
* IAMAPP.EXE
* HXIUL.EXE
* HXDL.EXE
* HWPE.EXE
* HTPATCH.EXE
* HTLOG.EXE
* HOTPATCH.EXE
* HOTACTIO.EXE
* HBSRV.EXE
* HBINST.EXE
* HACKTRACERSETUP.EXE
* GUARDDOG.EXE
* GUARD.EXE
* GMT.EXE
* GENERICS.EXE
* GBPOLL.EXE
* GBMENU.EXE
* GATOR.EXE
* FSMB32.EXE
* FSMA32.EXE
* FSM32.EXE
* FSGK32.EXE
* FSAV95.EXE
* FSAV530WTBYB.EXE
* FSAV530STBYB.EXE
* FSAV32.EXE
* FSAV.EXE
* FSAA.EXE
* FRW.EXE
* FPROT.EXE
* FP-WIN_TRIAL.EXE
* FP-WIN.EXE
* FNRB32.EXE
* FLOWPROTECTOR.EXE
* FIREWALL.EXE
* FINDVIRU.EXE
* FIH32.EXE
* FCH32.EXE
* FAST.EXE
* FAMEH32.EXE
* F-STOPW.EXE
* F-PROT95.EXE
* F-PROT.EXE
* F-AGNT95.EXE
* EXPLORE.EXE
* EXPERT.EXE
* EXE.AVXW.EXE
* EXANTIVIRUS-CNET.EXE
* EVPN.EXE
* ETRUSTCIPE.EXE
* ETHEREAL.EXE
* ESPWATCH.EXE
* ESCANV95.EXE
* ESCANHNT.EXE
* ESCANH95.EXE
* ESAFE.EXE
* ENT.EXE
* EMSW.EXE
* EFPEADM.EXE
* ECENGINE.EXE
* DVP95_0.EXE
* DVP95.EXE
* DSSAGENT.EXE
* DRWEBUPW.EXE
* DRWEB32.EXE
* DRWATSON.EXE
* DPPS2.EXE
* DPFSETUP.EXE
* DPF.EXE
* DOORS.EXE
* DLLREG.EXE
* DLLCACHE.EXE
* DIVX.EXE
* DEPUTY.EXE
* DEFWATCH.EXE
* DEFSCANGUI.EXE
* DEFALERT.EXE
* DCOMX.EXE
* DATEMANAGER.EXE
* Claw95.EXE
* CWNTDWMO.EXE
* CWNB181.EXE
* CV.EXE
* CTRL.EXE
* CPFNT206.EXE
* CPF9X206.EXE
* CPD.EXE
* CONNECTIONMONITOR.EXE
* CMON016.EXE
* CMGRDIAN.EXE
* CMESYS.EXE
* CMD32.EXE
* CLICK.EXE
* CLEANPC.EXE
* CLEANER3.EXE
* CLEANER.EXE
* CLEAN.EXE
* CLAW95CF.EXE
* CFINET32.EXE
* CFINET.EXE
* CFIAUDIT.EXE
* CFIADMIN.EXE
* CFGWIZ.EXE
* CFD.EXE
* CDP.EXE
* CCPXYSVC.EXE
* CCEVTMGR.EXE
* CCAPP.EXE
* BVT.EXE
* BUNDLE.EXE
* BS120.EXE
* BRASIL.EXE
* BPC.EXE
* BORG2.EXE
* BOOTWARN.EXE
* BOOTCONF.EXE
* BLSS.EXE
* BLACKICE.EXE
* BLACKD.EXE
* BISP.EXE
* BIPCPEVALSETUP.EXE
* BIPCP.EXE
* BIDSERVER.EXE
* BIDEF.EXE
* BELT.EXE
* BEAGLE.EXE
* BD_PROFESSIONAL.EXE
* BARGAINS.EXE
* BACKWEB.EXE
* AVXQUAR.EXE
* AVXMONITORNT.EXE
* AVXMONITOR9X.EXE
* AVWUPSRV.EXE
* AVWUPD32.EXE
* AVWUPD.EXE
* AVWINNT.EXE
* AVWIN95.EXE
* AVSYNMGR.EXE
* AVSCHED32.EXE
* AVPUPD.EXE
* AVPTC32.EXE
* AVPM.EXE
* AVPDOS32.EXE
* AVPCC.EXE
* AVP32.EXE
* AVP.EXE
* AVNT.EXE
* AVLTMAIN.EXE
* AVKWCTl9.EXE
* AVKSERVICE.EXE
* AVKSERV.EXE
* AVKPOP.EXE
* AVGW.EXE
* AVGUARD.EXE
* AVGSERV9.EXE
* AVGSERV.EXE
* AVGNT.EXE
* AVGCTRL.EXE
* AVGCC32.EXE
* AVE32.EXE
* AVCONSOL.EXE
* AUTOUPDATE.EXE
* AUTOTRACE.EXE
* AUTODOWN.EXE
* AUPDATE.EXE
* AU.EXE
* ATWATCH.EXE
* ATUPDATER.EXE
* ATRO55EN.EXE
* ATGUARD.EXE
* ATCON.EXE
* ARR.EXE
* APVXDWIN.EXE
* APLICA32.EXE
* APIMONITOR.EXE
* ANTS.EXE
* ANTIVIRUS.EXE
* ANTI-TROJAN.EXE
* AMON9X.EXE
* ALOGSERV.EXE
* ALEVIR.EXE
* ALERTSVC.EXE
* AGENTW.EXE
* AGENTSVR.EXE
* ADVXDWIN.EXE
* ADAWARE.EXE
* ACKWIN32.EXE
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.dxo.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
5. In the right pane, delete the value:
"IE6" = "ssmss.exe"
6. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
7. In the right pane, reset the value:
"restrictanonymous" = "1"
8. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Microsoft\OLE
9. In the right pane, reset the value:
"EnableDCOM" = "N"
10. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
