W32.Gaobot and variants (attack LSASS Vulnerability)

Description

Several new variant of W32.Gaobot worms exploit a known Microsoft Windows Local Security Authority Subsystem Service vulnerability (LSASS) which described in Microsoft Securiy Bulletin MS04-011 to propagate across the Internet.

Affected System (Microsoft Windows LSASS Vulnerability MS04-011)

• Microsoft windows NT4
• Microsoft windows 2000
• Microsoft windows XP
• Microsoft windows Server 2003

W32.Gaobot and variants (attack LSASS Vulnerability) discovered by antivirus vendor:

• W32.Gaobot.AFC
• W32.Gaobot.AFJ
• W32.Gaobot.AFW
• W32.Gaobot.AJD (Updated on 12 May 2004)
• W32.Gaobot.AJE (Updated on 12 May 2004)
• W32.Gaobot.AJJ (Updated on 14 May 2004)
• W32.Gaobot.AIS (Updated on 18 May 2004)
• W32.Gaobot.ALO (Updated on 20 May 2004)
• W32.Gaobot.ALU (Updated on 21 May 2004)
• W32.Gaobot.ALW (Updated on 28 May 2004)
• W32.Gaobot.AOL (Updated on 5 June 2004)
• W32.Gaobot.AQS (Updated on 10 June 2004)

Once the computer is attacked by the worm, it shows a System Shutdown dialog box:

The worm have the ability to act as a backdoor server program and attack other systems. The worm attempts to kill the process of many anti-virus and security applications.

It also add a list of common antivirus and security software websites to the system HOSTS file to allocate to a local IP address, so that it prevents the user from accessing the list of websites.

It also steals Windows Product ID and the CD keys of certain game applications.

Additionally, it also sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the following hosts:

www.ryan1918.net
www.ryan1918.org
www.ryan1918.com
yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.deverio.fr
www.utwente.nl
www.schlund.net

The worm variants also exhibit slight differences. The specific characteristics of each variants, please refer to Appendix.

• Modifies the HOSTS file

• Terminates many antivirus and security software processes

• Steals the Windows Product ID and the CD keys of certain game applications.

• Sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the list of websites

• Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port.

• Connects to a remote IRC server and awaits commands from the remote attacker.

Solution

1. For infected computer,

   1. If you keep getting the "Shutdown in 60 seconds" dialog, click Start -> Run, and execute command 'shutdown -a' to get rid of the shutdown temporarily.

   2. Check the system HOSTS file which located at %System%\drivers\etc
      Note: %Sytem% is a variable, C:\Winnt\System32\drivers\etc (Windows NT/2000/2003), or C:\Windows\System32\drivers\etc (Windows XP).

      Right-click the HOSTS file, and then click "Open With."

      Scroll through the list of programs , select "Notepad" application to open the file and then click "OK".

      When the file is opened, by default it only have one 127.0.0.1 record as belows:

      127.0.0.1           localhost

      Please delete all the entries execept the above default entry and self defined entry, then save the HOSTS file and close the Notepad application.

2. Common steps for all unpatched computer,

   Download and Install Microsoft Windows LSASS vulnerability patch

   Note: It is advised to use a Win98 / WinME PC or a patched PC to download the patch software and transfer it via floppy diskette or CD-R to the infected system. This is safer.

   Please choose ONLY ONE correct Windows platform and Language to download:

   Windows NT Workstation 4.0 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=7F1713FC-F95C-43E5-B825-3CF72C1A0A3E&displaylang=en

   Windows NT Workstation 4.0 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=7F1713FC-F95C-43E5-B825-3CF72C1A0A3E

   Windows NT Server 4.0 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=67A6F461-D2FC-4AA0-957E-3B8DC44F9D79&displaylang=en

   Windows NT Server 4.0 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=67A6F461-D2FC-4AA0-957E-3B8DC44F9D79

   Windows NT 4.0 Terminal Server (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=62CBA527-A827-4777-8641-28092D3AAE4F&displaylang=en

   Windows 2000 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

   Windows 2000 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=0692C27E-F63A-414C-B3EB-D2342FBB6C00

   Windows XP Home and Windows Professional Edition (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

   Windows XP Home and Windows Professional Edition (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3

   Windows Server 2003 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

   Windows Server 2003 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3

   Other Windows platforms:
   http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

   When "File Download" dialog box prompted, please select "Open" file¡CAfter the download is completed, the Installation starts. You can click "Next" button until "Finish". After Finished, please reboot the computer.

3. Scanning and Cleaning the worm

   1. Update the new virus definition or signature from anti-virus vendors.

   2. WinXP machines need to turn off "System Restore" according to the following steps, before running the antivirus program (skip for Win2000 and WinNT)

      1. Click Start > Programs > Accessories > Windows Explorer

      2. Right-click My Computer, and then click Properties.

      3. Click the System Restore tab.

      4. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box

      5. Click Apply and then click Yes.

      6. Click OK.

   3. Running the antivirus program in Safe Mode guarantees that no file will be locked by system and can be removed without problem.

      1. Reboot the Computer.

      2. Press "F8" many times during machine reboot until the bootup selection menu is shown.

      3. Choose "Safe Mode".

      4. After entering Safe Mode, run the antivirus program to start scan your computer.

      5. Scanning runs until completion.

      6. Restart the computer to "Normal Mode" .

4. Resume WinXP Configuration to normal (skip for Win2000 and WinNT)

   1. Click Start.

   2. Right-click My Computer, and then click Properties.

   3. Click the System Restore tab. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

   4. Click Apply, and then click OK.

   5. Restart the computer.

At this point, the infected computer should have been recovered. Since the patch has also closed the Windows LSASS security hole, the computer is immune to any new attacking worm variants.

However, the following optional recommendation can further improve your protection

---

Optional Recommeded Steps to tackle the worm attack

Configure Firewall to filter network traffic

• If the company has installed firewall or firewall-capable broadband router, you can configure it to block the imcoming LSARPC traffic from the Internet to safeguard all PCs in the internal network. This is very effective in mitigating the risk. The services that need to be blocked include:

  TCP/UDP 139
  TCP/UDP 445

  Furthermore the following ports may used by the worm should be blocked as well:
  

  TCP 1025 (Please vertify the existing service is not use before blocking this port)

  If access cannot be blocked for all external hosts, we recommend limiting access to only those hosts that require it for normal operation. As a general rule, we recommend filtering all types of network traffic that are not required for normal operation.

• Home or personal computers can install firewall-capable broadband router (hardware) or personal firewall (software) to achieve the same purpose.
  For WinXP, you can turn on the built-in personal firewall software called the "Internet Connection Firewall". Detail steps can be found at the following URL:
  http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp

Related Link(s)

Appendix