Full description

Virus:	Worm/Gobot.S
Date discovered:	22/11/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium to high
Damage Potential:	Medium
Static file:	No
File size:	~41.200 Bytes
VDF version:	6.26.00.56

General Methods of propagation:
   • Local network
   • Peer to Peer

Aliases:
   • Kaspersky: Backdoor.Win32.Gobot.s
   • TrendMicro: WORM_GOBOT.S
   • F-Secure: W32/Agobot.AVU
   • Sophos: W32/Gobot-C
   • Bitdefender: Backdoor.Gabot.A

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %WINDIR%\%random character string%.exe

The following file is created:

– %WINDIR%\setup.txt This file contains collected keystrokes.

Registry One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • AVPCC = %WINDIR%\%random character string%.exe
   • NPROTECT = %WINDIR%\%random character string%.exe
   • SMC = %WINDIR%\%random character string%.exe
   • NETUTILS = %WINDIR%\%random character string%.exe
   • NTXCONFIG = %WINDIR%\%random character string%.exe
   • LDNETMON = %WINDIR%\%random character string%.exe
   • CONNECTIONMONITOR = %WINDIR%\%random character string%.exe
   • NVSVC32 = %WINDIR%\%random character string%.exe
   • AVSYNMGR = %WINDIR%\%random character string%.exe
   • ERICS = %WINDIR%\%random character string%.exe
   • NAVENGNAVEX15 = %WINDIR%\%random character string%.exe
   • NAV AUTO-PROTECT = %WINDIR%\%random character string%.exe
   • CPDCLNT = %WINDIR%\%random character string%.exe
   • MPFSERVICE = %WINDIR%\%random character string%.exe
   • MPFTRAY = %WINDIR%\%random character string%.exe
   • PORTMONITOR = %WINDIR%\%random character string%.exe
   • CPDCLNT = %WINDIR%\%random character string%.exe
   • VSHWIN32 = %WINDIR%\%random character string%.exe
   • VSECOMR = %WINDIR%\%random character string%.exe
   • WEBSCANX = %WINDIR%\%random character string%.exe
   • TCMON = %WINDIR%\%random character string%.exe
   • ALOGSERV = %WINDIR%\%random character string%.exe
   • CMGRDIAN = %WINDIR%\%random character string%.exe
   • RULAUNCH = %WINDIR%\%random character string%.exe
   • DVP95 = %WINDIR%\%random character string%.exe
   • PROCESSMONITOR = %WINDIR%\%random character string%.exe
   • FRW = %WINDIR%\%random character string%.exe
   • NAVAP = %WINDIR%\%random character string%.exe
   • NAVAPW32 = %WINDIR%\%random character string%.exe
   • DEFWATCH = %WINDIR%\%random character string%.exe
   • GENERICS = %WINDIR%\%random character string%.exe
   • NAVAPSVC = %WINDIR%\%random character string%.exe
   • NTVDM = %WINDIR%\%random character string%.exe
   • NAVWNT = %WINDIR%\%random character string%.exe
   • NAVLU32 = %WINDIR%\%random character string%.exe
   • LUALL = %WINDIR%\%random character string%.exe
   • SWNETSUP = %WINDIR%\%random character string%.exe
   • ICLOAD95 = %WINDIR%\%random character string%.exe
   • TDS-3 = %WINDIR%\%random character string%.exe
   • ICMON = %WINDIR%\%random character string%.exe
   • ICSUPP95 = %WINDIR%\%random character string%.exe
   • IFACE = %WINDIR%\%random character string%.exe
   • ADVXDWIN = %WINDIR%\%random character string%.exe
   • PADMIN = %WINDIR%\%random character string%.exe
   • RAV7WIN = %WINDIR%\%random character string%.exe
   • WATCHDOG = %WINDIR%\%random character string%.exe
   • MINILOG = %WINDIR%\%random character string%.exe
   • P-WIN = %WINDIR%\%random character string%.exe
   • NDD32 = %WINDIR%\%random character string%.exe
   • FNRB32 = %WINDIR%\%random character string%.exe
   • NMAIN = %WINDIR%\%random character string%.exe
   • IAMSERV = %WINDIR%\%random character string%.exe
   • NPSCHECK = %WINDIR%\%random character string%.exe
   • AGENTW = %WINDIR%\%random character string%.exe
   • PERSFW = %WINDIR%\%random character string%.exe
   • PERSWF = %WINDIR%\%random character string%.exe
   • LOCKDOWN = %WINDIR%\%random character string%.exe
   • SPYXX = %WINDIR%\%random character string%.exe
   • WEBTRAP = %WINDIR%\%random character string%.exe
   • ATCON = %WINDIR%\%random character string%.exe
   • NPROTECT = %WINDIR%\%random character string%.exe
   • WGFE95 = %WINDIR%\%random character string%.exe
   • ZONEALARM = %WINDIR%\%random character string%.exe
   • VSMON = %WINDIR%\%random character string%.exe
   • AVKSERV = %WINDIR%\%random character string%.exe
   • MPFAGENT = %WINDIR%\%random character string%.exe
   • MPFSERVICE = %WINDIR%\%random character string%.exe
   • MPFTRAY = %WINDIR%\%random character string%.exe
   • PORTMONITOR = %WINDIR%\%random character string%.exe
   • VSHWIN32 = %WINDIR%\%random character string%.exe
   • WEBSCANX = %WINDIR%\%random character string%.exe
   • VSSTAT = %WINDIR%\%random character string%.exe
   • PCCWIN98 = %WINDIR%\%random character string%.exe
   • ATUPDATE = %WINDIR%\%random character string%.exe
   • AVCONSOL = %WINDIR%\%random character string%.exe
   • NSCHED32 = %WINDIR%\%random character string%.exe
   • KAVDOS32 = %WINDIR%\%random character string%.exe
   • ESPWATCH = %WINDIR%\%random character string%.exe
   • NEOWATCHLOG = %WINDIR%\%random character string%.exe
   • AUTOTRACE = %WINDIR%\%random character string%.exe
   • AUTODOWN = %WINDIR%\%random character string%.exe
   • VETTRAY = %WINDIR%\%random character string%.exe
   • SAFEWEB = %WINDIR%\%random character string%.exe
   • VSCAN40 = %WINDIR%\%random character string%.exe
   • CFIADMIN = %WINDIR%\%random character string%.exe
   • LUCOMSERVE = %WINDIR%\%random character string%.exe
   • RVE = %WINDIR%\%random character string%.exe
   • TFAK = %WINDIR%\%random character string%.exe
   • VBCMSERV = %WINDIR%\%random character string%.exe
   • NWTOOL16 = %WINDIR%\%random character string%.exe
   • AVP32 = %WINDIR%\%random character string%.exe
   • ANTI-TROJAN = %WINDIR%\%random character string%.exe
   • NWSERVICE = %WINDIR%\%random character string%.exe
   • CTRL = %WINDIR%\%random character string%.exe
   • NAVNT = %WINDIR%\%random character string%.exe
   • AVXMONITORNT = %WINDIR%\%random character string%.exe
   • AVPDOS32 = %WINDIR%\%random character string%.exe
   • AVPTC32 = %WINDIR%\%random character string%.exe

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:

–   It retrieves shared folders by querying the following registry keys:
   • HKCU\Software\Kazaa\localcontent
   • HKCU\Software\Limewire
   • HKCU\Software\Shareaza
   • HKCU\Software\Morpheus
   • HKCU\Software\Xolox
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\edonkey2000

   If successful, the following files are created:
   • AIM_Account_Stealer_Crack.exe; AIM_Account_Stealer_Crack.exe;
      AIM_Account_Stealer_Full.exe; AIM_Account_Stealer_Full.exe;
      AIM_Account_Stealer_ISO_Full.exe;
      AIM_Account_Stealer_Key_Generator.exe; AIM_Account_Stealer_Patch.exe;
      AIM_Account_Stealer_Patch.exe; Cat_Attacks_Child_Crack.exe;
      Cat_Attacks_Child_Full.exe; Cat_Attacks_Child_ISO_Full.exe;
      Cat_Attacks_Child_ISO_Full.exe; Cat_Attacks_Child_Key_Generator.exe;
      Cat_Attacks_Child_Key_Generator.exe; Cat_Attacks_Child_Patch.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_Crack.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_Full.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_ISO_Full.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_Key_Generator.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe;
      CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe;
      DSL_Modem_Uncapper_Crack.exe; DSL_Modem_Uncapper_Crack.exe;
      DSL_Modem_Uncapper_Full.exe; DSL_Modem_Uncapper_Full.exe;
      DSL_Modem_Uncapper_ISO_Full.exe; DSL_Modem_Uncapper_ISO_Full.exe;
      DSL_Modem_Uncapper_Key_Generator.exe; DSL_Modem_Uncapper_Patch.exe;
      Hacking_Tool_Collection_Crack.exe; Hacking_Tool_Collection_Crack.exe;
      Hacking_Tool_Collection_Full.exe;
      Hacking_Tool_Collection_ISO_Full.exe;
      Hacking_Tool_Collection_Key_Generator.exe;
      Hacking_Tool_Collection_Patch.exe; Hacking_Tool_Collection_Patch.exe;
      Internet_and_Computer_Speed_Booster_Crack.exe;
      Internet_and_Computer_Speed_Booster_Crack.exe;
      Internet_and_Computer_Speed_Booster_Full.exe;
      Internet_and_Computer_Speed_Booster_ISO_Full.exe;
      Internet_and_Computer_Speed_Booster_Key_Generator.exe;
      Internet_and_Computer_Speed_Booster_Patch.exe;
      Macromedia_Flash_5.0_Crack.exe; Macromedia_Flash_5.0_Full.exe;
      Macromedia_Flash_5.0_ISO_Full.exe; Macromedia_Flash_5.0_ISO_Full.exe;
      Macromedia_Flash_5.0_Key_Generator.exe;
      Macromedia_Flash_5.0_Key_Generator.exe;
      Macromedia_Flash_5.0_Patch.exe;
      MSN_Password_Hacker_and_Stealer_Crack.exe;
      MSN_Password_Hacker_and_Stealer_Full.exe;
      MSN_Password_Hacker_and_Stealer_Full.exe;
      MSN_Password_Hacker_and_Stealer_ISO_Full.exe;
      MSN_Password_Hacker_and_Stealer_Key_Generator.exe;
      MSN_Password_Hacker_and_Stealer_Patch.exe; Windows_XP_Crack.exe;
      Windows_XP_Crack.exe; Windows_XP_Full.exe; Windows_XP_Full.exe;
      Windows_XP_ISO_Full.exe; Windows_XP_Key_Generator.exe;
      Windows_XP_Key_Generator.exe; Windows_XP_Patch.exe;
      ZoneAlarm_Firewall_Crack.exe; ZoneAlarm_Firewall_Full.exe;
      ZoneAlarm_Firewall_ISO_Full.exe; ZoneAlarm_Firewall_Patch.exe;
      ZoneAlarm_Firewall_Patch.exe

   These files are copies of the malware itself.

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploit:
– Mydoom backdoor (port 3127)

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 217.160.**********.243
Port: 6659
Channel: #GhostBot
Nickname: %current username%%several random digits%
Password: x-bot6659

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Information about the network
    • Size of memory
    • Username

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Download file
    • Execute file
    • Kill process
    • Terminate process

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Wednesday, November 23, 2005
Description updated by Andrei Gherman on Thursday, November 24, 2005

Back . . . .