Home > General > Gaobot.gen


To do this, click Start>Run, type regedit in the text box provided, then press Enter. Antivirus Protection Dates Initial Rapid Release version March 19, 2004 Latest Rapid Release version August 8, 2016 revision 023 Initial Daily Certified version March 19, 2004 Latest Daily Certified version August Top Threat behavior When Win32/Gaobot.gen is run, it copies itself to either the Windows or System directories. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses. Source

The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. HKLM\Software\Microsoft\Windows\CurrentVersion\Run "key name" = "" Gaobot worm connects to IRC channel and allows fullaccess to the infected system. This could be used to map hostnames different IP addresses redirecting traffic to an alternate location.Enumerates process listNo digital signature is present McAfee ScansScan DetectionsMcAfee BetaW32/Gaobot.worm.gen.dMcAfee SupportedW32/Gaobot.worm.gen.d System Changes Some path Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read over here

Then, run a regular scan of the system with proper exclusions:"C:\Documents and Settings\user1\Desktop\FxGaobot.exe" /NOFILESCAN /LOG=c:\FxGaobot.txtNote: You can give the log file any name and save it to any location.Digital signatureFor security The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Back to Top View Virus Characteristics Virus Information Virus Removal Tools Threat Activity Top Tracked Viruses Virus Hoaxes Regional Virus Information Global Virus Map Virus Calendar Glossary Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer.

By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). %Temp% is a variable that refers to the temporary folder in the short path form. In the list of running programs, locate a malware/grayware/spyware file detected earlier. It also allows attackers to access an infected computer using a predetermined IRC channel. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied.

The worm uses multiple vulnerabilities to spread, including: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. Once access is achieved, the worm copies itself and creates a task on the target machine to run the copy.   Some variants of the worm terminate security products, based on Then, scan the computer with AntiVirus with current virus definitions. https://www.symantec.com/security_response/writeup.jsp?docid=2004-011316-4140-99 They are spread manually, often under the premise that they are beneficial or wanted.

Then save the Chktrust.exe file to the root of C as well.(Step 3 to assume that both the removal tool and Chktrust.exe are in the root of the C drive.)Click Start Some variants spread to computers with weak passwords. By default, this switch creates the log file, FxGaobot.log, in the same folder from which the removal tool was executed./MAPPED Scans the mapped network drives. (We do not recommend using this New variants of Gaobot worm spreads using RPC DCOM and WebDAV Windows vulnerabilities.

Back to Top View Virus Characteristics Virus Characteristics This is a Trojan File PropertiesProperty ValuesMcAfee DetectionW32/Gaobot.worm.gen.dLength77824 bytesMD5d5f49fbd15e6c60cc8ac42228dd2bcd8SHA1963127901b90bcabcfbbe75c13d2bafcc5d453a8 Other Common Detection AliasesCompany NamesDetection NamesahnlabWorm/Win32.IRCBotavastWin32:HBPECryptAVG (GriSoft)HostsaviraTR/Downloader.GenKasperskyBackdoor.Win32.Mytobor.bBitDefenderGeneric.Sdbot.DE9431CAclamavWorm.Mytob.GEDr.WebWin32.HLLW.AgobotF-ProtW32/Heuristic-210!Eldorado (suspicious)FortiNetW32/AgoBot.fam!wormMicrosoftworm:win32/gaobotSymantecW32.Gaobot.gen!polyEsetWin32/Mytob worm (probably variant)normanSB/MalwarepandaMalicious Packerrising[Suspicious]SophosW32/Mytob-FamTrend http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gaobot.gen If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. Methods of Infection Trojans do not self-replicate. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.How to

Some variants may also add a Windows Service to attain similar results.   Win32/Gaobot.gen connects to a remote IRC server and joins a specific channel to receive commands. The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. These steps to help ensure your PC is protected. Step 3 Delete this registry value [ Learn More ][ back ] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction.

Displays the help message./NOFIXREG Disables the registry repair (We do not recommend using this switch)./SILENT, /S Enables the silent mode./LOG=[PATH NAME] Creates a log file where [PATH NAME] is the location Virus Definitions released after February 27, 2004 and before March 19, 2004 detect this threat as W32.HLLW.Gaobot.gen. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps. You may see a system shutdown dialog box: The Win32/Gaobot.gen worm family spreads using different methods, depending on the variant.

The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. Most variants are packed with a run-time packer, such as UPX. Gaobot is a network worm spreads using network shares with weak password or no password.

The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445.

Antivirus Protection Dates Initial Rapid Release version November 24, 2003 Latest Rapid Release version February 3, 2017 revision 005 Initial Daily Certified version November 24, 2003 revision 036 Latest Daily Certified Others exploit vulnerabilities to infect computers. Tell us how we did. Select the detected files, then press either the End Task or the End Process button, depending on the version of Windows you are using.

Do the same for the remaining detected malware/grayware/spyware files in the list of running programs. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.Close This may not include all the folders on the remote computer, which can lead to missed detections.If a viral file is detected on the mapped drive, the removal will fail if You can purchase Solo antivirus using the link

Unlike viruses, Trojans do not self-replicate. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434. On Windows Vista and 7: Insert the Windows CD into the CD-ROM drive and restart the computer.Click on "Repair Your Computer"When the System Recovery Options dialog comes up, choose the Command

If you are using Daylight Saving time, the displayed time will be exactly one hour earlier. For more information, read the Microsoft knowledge base article: XADM: Do Not Back Up or Scan Exchange 2000 Drive M (Article 298924).Follow these steps to download and run the tool:Download the