Overview Technical Details Statistics
QUICK LINKS Solution | Critical Update
--------------------------------------------------------------------------------
Virus type: Worm
Destructive: Yes
Aliases: W32.HLLW.Gaobot.AO
Pattern file needed: 679 (0.679.03)
Scan engine needed: 5.600
Overall risk rating: Low
--------------------------------------------------------------------------------
Reported infections: Low
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
This memory-resident worm propagates through network-shared folders.
Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities:
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001.
This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user.
It allows a remote user to perform the following malicious actions:
Log off user
Shut down the machine
Reboot the machine
Connect to a different IRC server
Reconnect to an IRC server
Send raw message to the IRC server
Quit from the IRC session
Send a private message
Leave a channel
Print netinfo
Perform a mode change
Join a channel
Disconnect from IRC server
It also terminates antivirus-related processes and steals CD keys of certain game applications.
It is compressed with Neolite and runs on Windows 2000 and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Disconnecting Network Connection
Unplug the Unshielded Twisted Pair (UTP) cable that is normally located at the back of the machine to disconnect from the network and avoid reinfection.
Apply the proceeding instructions. Once the malware is completely removed from all the machines in the network, it is then safe to plug the UTP cable and reconnect to the network.
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
CSRRS.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
To remove the malware autostart entries:
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
%System32%CSRRS.EXE
Note: %System32% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
%System32%CSRRS.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Applying Patches
This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.
IIS5/WEBDAV vulnerability patch
Windows NT
http://microsoft.com/downloads/detai...displaylang=en
Windows NT Terminal Server
http://microsoft.com/downloads/detai...displaylang=en
Windows XP 32 bit
http://microsoft.com/downloads/detai...displaylang=en
Windows XP 64 bit
http://microsoft.com/downloads/detai...displaylang=en
DCOM Patch
WindowsNT
http://microsoft.com/downloads/detai...displaylang=en
WindowsNT Terminal Server
http://microsoft.com/downloads/detai...displaylang=en
Windows 2000
http://microsoft.com/downloads/detai...displaylang=en
WindowsXP 32bit
http://microsoft.com/downloads/detai...displaylang=en
WindowsXP 64bit
http://microsoft.com/downloads/detai...displaylang=en
RPC Patch
Windows NT
http://www.microsoft.com/downloads/d...displaylang=en
Windows NT Terminal Server
http://www.microsoft.com/downloads/d...displaylang=en
Windows 2000
http://www.microsoft.com/downloads/d...displaylang=en
Windows XP 32 bit
http://www.microsoft.com/downloads/d...displaylang=en
Windows XP 64bit
http://www.microsoft.com/downloads/d...displaylang=en
Windows 2003 server 64 bit
http://www.microsoft.com/downloads/d...displaylang=en
Refrain from using the affected software until the appropriate patch has been installed.
Additional Windows XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
Here ya go then.