|W32.HLLW.Gaobot.AG is a minor variant of W32.HLLW.Gaobot.AE.
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.
Opens a randomly chosen TCP port to connect to the attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the special commands from the attacker.
When the worm runs, it allows the attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
1. Manage the installation of the worm
2. Dynamically update the installed worm
3. Download and execute files
4. Steal a compromised system's information
5. Send the worm to other IRC users
6. Add accounts for the hacker
Sends data to TCP port 135, which exploits the DCOM RPC vulnerability, or sends data to TCP port 445 to exploit the RPC locator vulnerability.
Probes administrative shares using the following user/password combinations, in addition to the user names found on the remote computer, as the NetUserEnum() API determined.
Also, peforms the following actions:
1. After accessing vulnerable computers, the worm copies and executes itself on the new computers.
2. Steals CD keys of the different games.
3. Inventories the active processes and, if it is the name of the firewall and antivirus process the worm attempts to terminate it.
4. Attemps to kill all the running processes that other worms have dropped.
5. Can perform the following types of Denial of Service (DoS) attacks: Ping flood, TCP SYN flood, UDP flood.
This worm adds the value:
"MS Security Hotfix"="service5.exe"
to these registry keys:
Use antivirus (also check How To Remove section)Startup Optimizer to automatically remove it from startup.