Results 1 to 5 of 5

Thread: Gaobot

  1. #1
    Junior Member
    Join Date
    Aug 2002


    A few months ago I spotted strange traffic while manually browsing the firewall logs.

    Come to find out, that we had viruses on a few computers running a Gaobot variant. We use EPO and are really proactive about these things, but this variant was not being detected. I even sent NAI the virii and they still can not detect this version today.

    Anyways, are there any tools that we can use to detect these varients? Maybe a plug in for our Cisco IDS system?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    If you can get some packet captures then you could write a snort rule for it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    If you have a file that is infected could you either Zip it or convert it to a .txt and PM it to me. I will then run it past my collection of AVs etc to see if anything finds it.

    All I need is to find one that does, to figure out how?

    I know that there are a few other guys here who might be interested as well, so if you can provide a sample, let us know and they will PM you for a sample.

    Yes, this does seem a little long winded, but this way it is restricted to members, and to those who request it; so it absolves you of any blame for what happens.


  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    I havent had a GAobot varient for a few months, or at least the typical symptoms that lead me to their detection. IF i remember one av co call a varient Fatbot.. I just wish they called it Pig..

    Symptom that made it stick out like dogs balls.. That is beside the Network activity (rpc-dom, lsass probes)

    Unable to Do a windows update..typicaly I would notice this while trying to install the rpc-dcom or lsass patches.
    Attempting to install certain programs resulted in failure.. typicaly Spybot s&d (in one case couldn't see the file on the CD)

    Why was this so?

    you had to go into the registry to find the reason: (now this is wher I am rusty..my notes are at work)..
    in a reg key for loading the OS.. the virus loads with it it will look like
    "explorer.exe; wrft5sh.exe" in the key (note the file name could be anything)

    The virus/worm loads even in safe mode as a result of this key.. and because it loads with explorer.exe it is able to give the AV a hard time.. you will need to terminate the process IF you can see it.. delete the file in the system32 folder or the windows (normaly in system32). Restart in safe mode and recheck your work.. if the reg is clean.. you should now be able to run the NAV, NAI, or who evers clean up tool
    The last one that i did I followed the process of Adware removal given in a post by groovicus.. check this thread http://www.antionline.com/showthread...hreadid=261046

    I would like to be more help.. just general inf I am sorry..

    But if any of your boxes are not fully updated.. the infection will continue
    if your unable to identify ALL the infected machines and Block the resultant traffic.. the infection will resurface

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Junior Member
    Join Date
    Aug 2002
    Thanks very much.

    The last one we had was removed a few days ago. We cleaned them by doing what you said Undertaker and removing the registry key and the file mso.exe from the system directory.

    Unfortunately, I removed the file and don't have a copy anymore, but I will keep my eyes open, I must have it zipped somewhere. The help desk has just been deleting it on the spot.

    It was a very cleaver version that communicated to certain IP's only at certain times. I discovered it by seeing traffic using 6667 to one IP. When I blocked it, it went to another IP.

    Now its a new version on Mydoom that I have been seeing, but liy it looks like we have stopped it by updating epo at just the right time. Looks like its my full time job now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts