|W32.Gaobot.gen!poly is a worm that attempts to spread through network shares with weak passwords and allows attackers to access
an infected computer using a specific IRC channel.
Allows an attacker to remotely control a compromised computer and perform any of the following actions:
- Download and execute files
- Steal system information
- Harvest email addresses
- Steal CD keys for various games
Also Known As: W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [Kaspersky]
Copies itself as one of the following files:
Adds one of the following values:
"^`d}qZxu" = "~`d}qzxu3zYF"
"Service Host Process"="spoolsvc.exe"
to the registry keys:
Creates a service for the worm with one of the following names and sets it to automatically run on startup:
Configuration Loader, SoundMan, Service Host Process
Hides all the files that contain the word "soun."
May change the %System%\drivers\etc\hosts file with some lines.
Attempt to spread to other systems by exploiting vulnerabilities.
Ends processes associated with antivirus and firewall software.
Attempts to delete the files and registry values associated with other worms.
Use antivirus (also check How To Remove section)Startup Optimizer to remove it from startup.
For more information to locate and remove this worm, see on http://securityresponse.symantec.com/avc...