Weekly Virus Report – Gaobot.M, Opaserv.Y and Colevo.A Worms

Today’s report on malicious code focuses on three worms: Gaobot.M (with backdoor characteristics), Opaserv.Y and Colevo.A.

Gaobot.M infects Windows XP/2000/NT computers and it exploits the RPC DCOM and WebDAV vulnerabilities to spread to as many computers as possible. Gaobot.M also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess. Once it is run, Gaobot.M connects to a specified IRC server through the port 6667 and waits for control commands.

As a backdoor, Gaobot.M lets malicious users obtain information on the affected computer, run files, launch Distributed Denial of Service (DDoS) attacks, upload files by FTP, etc. In addition, this worm ends processes belonging to antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.

One indication that Gaobot.M has reached the computer is that the network traffic increases on the ports 135 and 445, as the worm attempts to exploit the ‘RPC DCOM’ vulnerability.

Opaserv.Y spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives -through port 137- by exploiting the ‘Share Level Password’ vulnerability in Windows Me/98/95.

Opaserv.Y creates the file ‘SPEEDY.SCR’, which is a copy of the worm, and the files ‘PODRE!!’, ‘BANDA!’, ‘VACAS!’ and ‘VAGABU!’. These files contain information on scanned and affected computers, and are encrypted with Crypto-Algorythm.

We finish this report with Colevo.A that spreads via e-mail and sends itself out to all the contacts in MSN Messenger’s Contact list. In order to do so, Colevo.A incorporates its own SMTP engine. Similarly, Colevo.A opens the communication port 2536, and allows hackers to remotely control the affected computer. It opens the Internet Explorer browser and randomly accesses several web pages that contain pictures of the Bolivian leader Evo Morales.




Share this