Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:44pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Gaobot.M, Opaserv.Y and Colevo.A.		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Gaobot.M, Opaserv.Y and Colevo.A.  (Read 468 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Gaobot.M, Opaserv.Y and Colevo.A.
« on: Sep 30th, 2003, 8:32pm »		 Quote Quote  Modify Modify
Gaobot.M (with backdoor characteristics), Opaserv.Y and Colevo.A.
 
Time to check the network scanner again... Grin

Gaobot.M infects Windows XP/2000/NT computers and it exploits the RPC DCOM and WebDAV vulnerabilities to spread to as many computers as possible. Gaobot.M also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess. Once it is run, Gaobot.M connects to a specified IRC server through the port 6667 and waits for control commands.  
 
As a backdoor, Gaobot.M lets malicious users obtain information on the affected computer, run files, launch Distributed Denial of Service (DDoS) attacks, upload files by FTP, etc. In addition, this worm ends processes belonging to antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.
 
One indication that Gaobot.M has reached the computer is that the network traffic increases on the ports 135 and 445, as the worm attempts to exploit the 'RPC DCOM' vulnerability.
 
Opaserv.Y spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives -through port 137- by exploiting the 'Share Level Password' vulnerability in Windows Me/98/95.
 
Opaserv.Y creates the file 'SPEEDY.SCR', which is a copy of the worm, and the files 'PODRE!!', 'BANDA!', 'VACAS!' and 'VAGABU!'. These files contain information on scanned and affected computers, and are encrypted with Crypto-Algorythm.  
 
Colevo.A spreads via e-mail and sends itself out to all the contacts in MSN Messenger's Contact list. In order to do so, Colevo.A incorporates its own SMTP engine. Similarly, Colevo.A  opens the communication port 2536, and allows hackers to remotely control the affected computer. It opens the Internet Explorer browser and randomly accesses several web pages that contain pictures of the Bolivian leader Evo Morales.
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register