Ironworks Gaming Forum - View Single Post

Mack_Attack · 05-28-2004, 01:10 PM

Overview Technical Details Statistics

QUICK LINKS Solution | Critical Update

--------------------------------------------------------------------------------

Virus type: Worm

Destructive: Yes

Aliases: W32.HLLW.Gaobot.AO

Pattern file needed: 679 (0.679.03)

Scan engine needed: 5.600

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High

--------------------------------------------------------------------------------

Description:

This memory-resident worm propagates through network-shared folders.

Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001.
This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user.

It allows a remote user to perform the following malicious actions:

Log off user
Shut down the machine
Reboot the machine
Connect to a different IRC server
Reconnect to an IRC server
Send raw message to the IRC server
Quit from the IRC session
Send a private message
Leave a channel
Print netinfo
Perform a mode change
Join a channel
Disconnect from IRC server
It also terminates antivirus-related processes and steals CD keys of certain game applications.

It is compressed with Neolite and runs on Windows 2000 and XP.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Disconnecting Network Connection

Unplug the Unshielded Twisted Pair (UTP) cable that is normally located at the back of the machine to disconnect from the network and avoid reinfection.

Apply the proceeding instructions. Once the malware is completely removed from all the machines in the network, it is then safe to plug the UTP cable and reconnect to the network.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
CSRRS.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
%System32%CSRRS.EXE
Note: %System32% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
%System32%CSRRS.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Applying Patches

This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.

IIS5/WEBDAV vulnerability patch
Windows NT

http://microsoft.com/downloads/detai...displaylang=en

Windows NT Terminal Server

http://microsoft.com/downloads/detai...displaylang=en

Windows XP 32 bit

http://microsoft.com/downloads/detai...displaylang=en

Windows XP 64 bit

http://microsoft.com/downloads/detai...displaylang=en

DCOM Patch
WindowsNT

http://microsoft.com/downloads/detai...displaylang=en

WindowsNT Terminal Server

http://microsoft.com/downloads/detai...displaylang=en

Windows 2000

http://microsoft.com/downloads/detai...displaylang=en

WindowsXP 32bit

http://microsoft.com/downloads/detai...displaylang=en

WindowsXP 64bit

http://microsoft.com/downloads/detai...displaylang=en

RPC Patch
Windows NT

http://www.microsoft.com/downloads/d...displaylang=en

Windows NT Terminal Server

http://www.microsoft.com/downloads/d...displaylang=en

Windows 2000

http://www.microsoft.com/downloads/d...displaylang=en

Windows XP 32 bit

http://www.microsoft.com/downloads/d...displaylang=en

Windows XP 64bit

http://www.microsoft.com/downloads/d...displaylang=en

Windows 2003 server 64 bit

http://www.microsoft.com/downloads/d...displaylang=en

Refrain from using the affected software until the appropriate patch has been installed.

Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

Here ya go then.

05-28-2004, 01:10 PM	#4
Mack_Attack Osiris - Egyptian God of the Underworld Join Date: May 22, 2001 Location: Sherwoodpark,Alberta,Canada Age: 51 Posts: 2,929	Overview Technical Details Statistics QUICK LINKS Solution \| Critical Update -------------------------------------------------------------------------------- Virus type: Worm Destructive: Yes Aliases: W32.HLLW.Gaobot.AO Pattern file needed: 679 (0.679.03) Scan engine needed: 5.600 Overall risk rating: Low -------------------------------------------------------------------------------- Reported infections: Low Damage Potential: High Distribution Potential: High -------------------------------------------------------------------------------- Description: This memory-resident worm propagates through network-shared folders. Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities: Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability IIS5/WEBDAV Buffer Overflow vulnerability For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-001. This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user. It allows a remote user to perform the following malicious actions: Log off user Shut down the machine Reboot the machine Connect to a different IRC server Reconnect to an IRC server Send raw message to the IRC server Quit from the IRC session Send a private message Leave a channel Print netinfo Perform a mode change Join a channel Disconnect from IRC server It also terminates antivirus-related processes and steals CD keys of certain game applications. It is compressed with Neolite and runs on Windows 2000 and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services. MANUAL REMOVAL INSTRUCTIONS Disconnecting Network Connection Unplug the Unshielded Twisted Pair (UTP) cable that is normally located at the back of the machine to disconnect from the network and avoid reinfection. Apply the proceeding instructions. Once the malware is completely removed from all the machines in the network, it is then safe to plug the UTP cable and reconnect to the network. Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. Press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: CSRRS.EXE Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. To remove the malware autostart entries: Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry: %System32%CSRRS.EXE Note: %System32% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>RunServices In the right panel, locate and delete the entry or entries: %System32%CSRRS.EXE Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Applying Patches This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system. IIS5/WEBDAV vulnerability patch Windows NT http://microsoft.com/downloads/detai...displaylang=en Windows NT Terminal Server http://microsoft.com/downloads/detai...displaylang=en Windows XP 32 bit http://microsoft.com/downloads/detai...displaylang=en Windows XP 64 bit http://microsoft.com/downloads/detai...displaylang=en DCOM Patch WindowsNT http://microsoft.com/downloads/detai...displaylang=en WindowsNT Terminal Server http://microsoft.com/downloads/detai...displaylang=en Windows 2000 http://microsoft.com/downloads/detai...displaylang=en WindowsXP 32bit http://microsoft.com/downloads/detai...displaylang=en WindowsXP 64bit http://microsoft.com/downloads/detai...displaylang=en RPC Patch Windows NT http://www.microsoft.com/downloads/d...displaylang=en Windows NT Terminal Server http://www.microsoft.com/downloads/d...displaylang=en Windows 2000 http://www.microsoft.com/downloads/d...displaylang=en Windows XP 32 bit http://www.microsoft.com/downloads/d...displaylang=en Windows XP 64bit http://www.microsoft.com/downloads/d...displaylang=en Windows 2003 server 64 bit http://www.microsoft.com/downloads/d...displaylang=en Refrain from using the affected software until the appropriate patch has been installed. Additional Windows XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC. Here ya go then. __________________