Virus Advisory: Windows Virus Alert: Multiple Worms On Campus

Windows Virus Alert: Multiple Worms On Campus

Posted on September 3, 2004 10:23 AM

Note: None of these threats are email-bourne. They spread by leveraging unpatched machines and machines with weak share passwords or no share passwords.

In the last 24 hours, CIS has found over 20 Windows computers on campus that are infected with one or more of the worms. Desktop Services submitted 3 suspect files removed from a laptop last night and Symantec identified the files as being the following worms:

W32.HLLW.Gaobot.gen (c:\windows\system32\winupdate.exe)
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html
Non-repairable threat - please delete this file and replace it if necessary.

W32.Spybot.Worm (c:\windows\system32\lsas.exe)
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
Non-repairable threat - please delete this file and replace it if necessary.

W32.IRCBot.E (c:\windows\system32\scvhosting.exe)
http://www.sarc.com/avcenter/venc/data/w32.ircbot.f.html
(Symantec lists W32.IRCBot.E as a variant of this later bot)
Non-repairable threat - please delete this file and replace it if necessary.

The names of these files will vary. Another characteristic of these Gaobot and IRCBot variants was the completeness of registry edits. There were entries in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

You can try to clean these infections based on the instructions in the Symantec documentation. Remember that it's important to follow the steps exactly as instructed.

Unfortunately, none of these worms is new and none of them are detected by Symantec with 9/1/2004 virus definitions. Based on Symantec Security Response feedback, detection for these threats will be available in the next LiveUpdate cycle.

We'll keep you updated.

[an error occurred while processing this directive]
Virus Advisory « Windows Virus Alert: W32.Beagle.AQ@mm \| Main \| WINDOWS VIRUS ALERT: W32.Mydoom.AX@mm on Campus » Windows Virus Alert: Multiple Worms On Campus Posted on September 3, 2004 10:23 AM Note: None of these threats are email-bourne. They spread by leveraging unpatched machines and machines with weak share passwords or no share passwords. In the last 24 hours, CIS has found over 20 Windows computers on campus that are infected with one or more of the worms. Desktop Services submitted 3 suspect files removed from a laptop last night and Symantec identified the files as being the following worms: W32.HLLW.Gaobot.gen (c:\windows\system32\winupdate.exe) http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html Non-repairable threat - please delete this file and replace it if necessary. W32.Spybot.Worm (c:\windows\system32\lsas.exe) http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html Non-repairable threat - please delete this file and replace it if necessary. W32.IRCBot.E (c:\windows\system32\scvhosting.exe) http://www.sarc.com/avcenter/venc/data/w32.ircbot.f.html (Symantec lists W32.IRCBot.E as a variant of this later bot) Non-repairable threat - please delete this file and replace it if necessary. The names of these files will vary. Another characteristic of these Gaobot and IRCBot variants was the completeness of registry edits. There were entries in the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices You can try to clean these infections based on the instructions in the Symantec documentation. Remember that it's important to follow the steps exactly as instructed. Unfortunately, none of these worms is new and none of them are detected by Symantec with 9/1/2004 virus definitions. Based on Symantec Security Response feedback, detection for these threats will be available in the next LiveUpdate cycle. We'll keep you updated.
[an error occurred while processing this directive]