Okay, here's a weird one. My high school's computers have been acting up for about a week, and Norton has detected the Gaobot virus on the network. What bugs me is that the virus is doning things that I've never heard of Gaobot doing - hogging RAM and virtual memory, and completely barring internet access of any kind. Is this some strain I haven't heard of, or has the virus somehow allowed other viruses to get in? And how do I prevent this sucker from getting me?
Gaobot comes in many many flavoures. some of them acts as a backdoor and participates in DDoS attack. so when Norton detected gaobot what strain did it report? use a removal tool from Symantec. for W32.HLLW.Gaobot.AG W32.HLLW.Gaobot.AO W32.Gaobot.SY W32.Gaobot.ZX W32.Gaobot.ADX W32.Gaobot.AJD W32.HLLW.Gaobot.Gen use this: http://securityresponse.symantec.com/avcenter/FxGaobot.exe for W32.Gaobot.UJ use this: http://securityresponse.symantec.com/avcenter/FxGaobotUJ.exe
W32.HLLW.Gaobot.gen. This isn't my comp, it's a school network. The way they've decided to handle it is to shut down the network and erase the computers' HDs one at a time, keeping only one computer on at a time to quarantine the virus. Seems a little extreme to me.
It sounds like whoever is in charge of their network is not to informed on how to handle virus infections and malware.
this is insane. tell them to download that small removal tool and run it on every PC. as simple as it can get.
Yep, I noticed the removal tools that Symantec had - one of them for a nasty variety of Gaobot, IIRC - but didn't figure they'd work on a network. What I wonder, though, is how the network got infected in the first place. My current guess is that they didn't have the resident protection on. (It probably would have showed up in the Systray.)
well i'm sure it doesn't scan network drives but cleaning individual computers will do the trick. thats why i told you to scan every PC. you could be right about the reatime protection.
Fortunately, I'm not the one in charge of the network. Just one computer is enough to drive me perfectly batty, thank you. But yeah, thanks for the info. Now I know what to do if I get that thing.
And another worm rears its ugly head... Well, now they've got Sasser on the system. It seems this is a backdoor-creating variety of Gaobot. I'm willing to bet that a lot of their problems were actually caused by Sasser, but Norton AV didn't catch it until now. What bugs me is that they didn't keep their OS up-to-date. Come on, there must be some way to do Windows Updates on networks! Microsoft isn't that lazy!
Re: And another worm rears its ugly head... Its very easy with Active Directory, just put the patches in a folder and all client machines will update themselves The simpler way is to just download the patch and distribute it to all machines, then use a script to remotely execute it (with parameters to run it silently). Microsoft have plenty of documentation on both these methods The problem with Agobot is that it is open source, and there are hundreds of variants. The lesser known variants are the worst, since there are variants out there which no AV detect. You need a sample to analyse before you can add detection, and even with good generic signatures they can avoid detection by carefully recompiling their versions