Got Gaobot?

Discussion in 'malware problems & news' started by Pigman, May 15, 2004.

Thread Status:
Not open for further replies.
  1. Pigman

    Pigman Guest

    Okay, here's a weird one. My high school's computers have been acting up for about a week, and Norton has detected the Gaobot virus on the network. What bugs me is that the virus is doning things that I've never heard of Gaobot doing - hogging RAM and virtual memory, and completely barring internet access of any kind. Is this some strain I haven't heard of, or has the virus somehow allowed other viruses to get in? And how do I prevent this sucker from getting me?
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
  3. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    W32.HLLW.Gaobot.gen.

    This isn't my comp, it's a school network. The way they've decided to handle it is to shut down the network and erase the computers' HDs one at a time, keeping only one computer on at a time to quarantine the virus. Seems a little extreme to me.
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It sounds like whoever is in charge of their network is not to informed on how to handle virus infections and malware.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    this is insane. tell them to download that small removal tool and run it on every PC. as simple as it can get.
     
  6. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Yep, I noticed the removal tools that Symantec had - one of them for a nasty variety of Gaobot, IIRC - but didn't figure they'd work on a network.

    What I wonder, though, is how the network got infected in the first place. My current guess is that they didn't have the resident protection on. (It probably would have showed up in the Systray.)
     
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    well i'm sure it doesn't scan network drives but cleaning individual computers will do the trick. thats why i told you to scan every PC. you could be right about the reatime protection.
     
  8. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Fortunately, I'm not the one in charge of the network. Just one computer is enough to drive me perfectly batty, thank you. ;)

    But yeah, thanks for the info. Now I know what to do if I get that thing.
     
  9. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    And another worm rears its ugly head...

    Well, now they've got Sasser on the system. It seems this is a backdoor-creating variety of Gaobot. I'm willing to bet that a lot of their problems were actually caused by Sasser, but Norton AV didn't catch it until now.

    What bugs me is that they didn't keep their OS up-to-date. Come on, there must be some way to do Windows Updates on networks! Microsoft isn't that lazy!
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re: And another worm rears its ugly head...

    Its very easy with Active Directory, just put the patches in a folder and all client machines will update themselves :)

    The simpler way is to just download the patch and distribute it to all machines, then use a script to remotely execute it (with parameters to run it silently). Microsoft have plenty of documentation on both these methods

    The problem with Agobot is that it is open source, and there are hundreds of variants. The lesser known variants are the worst, since there are variants out there which no AV detect. You need a sample to analyse before you can add detection, and even with good generic signatures they can avoid detection by carefully recompiling their versions
     
Thread Status:
Not open for further replies.