You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Gaobot.LTL

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Gaobot.LTL carries out the following actions:

  • It connects to several IRC servers in order to receive remote control commands, acting as a backdoor.
  • It can receive any of the following control orders:
    - Obtain the IP address of the affected computer.
    - Search for passwords belonging to the system.
    - Use a tool for obtaining MSN Messenger passwords.
    - Obtain the keys of the following videogames: Counter-Strike, FIFA 2006 and Soldier of Fortune II-Double Helix.
    - Launch DoS (Denial of Service) attacks of SYN Flood type.
    - Start an FTP and/or Socks4 proxy server.
    - Obtain information about the affected computer, such as available physical memory, main memory or microprocessor clock rate.
  • It prevents users from accessing the following websites, which belong to several computer security companies:
    avp.com
    ca.com
    customer.symantec.com
    dispatch.mcafee.com
    download.mcafee.com
    downloads-eu4.kaspersky-labs.com
    downloads-us1.kaspersky-labs.com
    downloads-us2.kaspersky-labs.com
    downloads-us3.kaspersky-labs.com
    downloads-us4.kaspersky-labs.com
    f-secure.com
    ftp.avp.com
    ftp.ca.com
    ftp.customer.symantec.com
    ftp.dispatch.mcafee.com
    ftp.download.mcafee.com
    ftp.downloads1.kaspersky-labs.com
    ftp.downloads2.kaspersky-labs.com
    ftp.downloads3.kaspersky-labs.com
    ftp.downloads4.kaspersky-labs.com
    ftp.downloads-eu1.kaspersky-labs.com
    ftp.downloads-eu2.kaspersky-labs.com
    ftp.downloads-eu3.kaspersky-labs.com
    ftp.downloads-eu4.kaspersky-labs.com
    ftp.downloads-us1.kaspersky-labs.com
    ftp.downloads-us2.kaspersky-labs.com
    ftp.downloads-us3.kaspersky-labs.com
    ftp.downloads-us4.kaspersky-labs.com
    ftp.f-secure.com
    ftp.grisoft.com
    ftp.kaspersky.com
    ftp.kaspersky-labs.com
    ftp.liveupdate.symantec.com
    ftp.liveupdate.symantecliveupdate.com
    ftp.mast.mcafee.com
    ftp.mcafee.com
    ftp.my-etrust.com
    ftp.nai.com
    ftp.networkassociates.com
    ftp.norton.com
    ftp.rads.mcafee.com
    ftp.sandbox.norman.com
    ftp.secure.nai.com
    ftp.securityresponse.symantec.com
    ftp.sophos.com
    ftp.symantec.com
    ftp.symantecliveupdate.com
    ftp.symatec.com
    ftp.trendmicro.com
    ftp.uk.trendmicro-europe.com
    ftp.update.symantec.com
    ftp.updates.symantec.com
    ftp.updates1.kaspersky-labs.com
    ftp.updates2.kaspersky-labs.com
    ftp.updates3.kaspersky-labs.com
    ftp.updates4.kaspersky-labs.com
    ftp.us.mcafee.com
    ftp.viruslist.com
    grisoft.com
    kaspersky.com
    kaspersky-labs.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    my-etrust.com
    nai.com
    networkassociates.com
    norton.com
    pandasoftware.com
    rads.mcafee.com
    sandbox.norman.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    symantecliveupdate.com
    symatec.com
    trendmicro.com
    uk.trendmicro-europe.com
    update.symantec.com
    updates.symantec.com
    updates1.kaspersky-labs.com
    updates2.kaspersky-labs.com
    updates3.kaspersky-labs.com
    updates4.kaspersky-labs.com
    virustotal.com
    www.avp.com
    www.ca.com
    www.customer.symantec.com
    www.dispatch.mcafee.com
    www.download.mcafee.com
    www.downloads1.kaspersky-labs.com
    www.downloads2.kaspersky-labs.com
    www.downloads3.kaspersky-labs.com
    www.downloads4.kaspersky-labs.com
    www.downloads-eu1.kaspersky-labs.com
    www.downloads-eu2.kaspersky-labs.com
    www.downloads-eu3.kaspersky-labs.com
    www.downloads-eu4.kaspersky-labs.com
    www.downloads-us1.kaspersky-labs.com
    www.downloads-us2.kaspersky-labs.com
    www.downloads-us3.kaspersky-labs.com
    www.downloads-us4.kaspersky-labs.com
    www.f-secure.com
    www.grisoft.com
    www.kaspersky.com
    www.kaspersky-labs.com
    www.liveupdate.symantec.com
    www.liveupdate.symantecliveupdate.com
    www.mast.mcafee.com
    www.mcafee.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.norton.com
    www.pandasoftware.com
    www.rads.mcafee.com
    www.sandbox.norman.com
    www.secure.nai.com
    www.securityresponse.symantec.com
    www.sophos.com
    www.symantec.com
    www.symantecliveupdate.com
    www.symatec.com
    www.trendmicro.com
    www.uk.trendmicro-europe.com
    www.update.symantec.com
    www.updates.symantec.com
    www.updates1.kaspersky-labs.com
    www.updates2.kaspersky-labs.com
    www.updates3.kaspersky-labs.com
    www.updates4.kaspersky-labs.com
    www.us.mcafee.com
    www.viruslist.com
    This way, among other consequences, the antivirus programs belonging to such companies could not be updated, leaving the affected computer vulnerable to the attack of other malware.

Infection strategy 

Gaobot.LTL creates the following files:

  • TASKDRV32.EXE in the Windows system directory. This file is a copy of the worm, and although once it is created, Gaobot.LTL has instructions to delete the original file from which it is run, that file is not deleted.
  • COMMAND.PIF in the Desktop.
  • PERFLIB_PERFDATA_260.DAT in the temporary directory of the affected user.

Means of transmission 

Gaobot.LTL spreads across the Internet, computer networks, through peer-to-peer (P2P) file sharing programs, via instant messaging programs and email.

1.- Transmission across the Internet.

  • It generates random IP addresses.
  • It attempts to exploit the vulnerabilities LSASS, RPC DCOM, WebDAV and UPnP on the remote computers.
  • If successful, it uses a script in order to transfer a copy of itself to the compromised computer.

Gaobot.LTL can also affect computers with the program DameWare Mini Remote Control installed, or to those computers with SQL Server installed and the administrator account blank.

 

2.- Transmission through P2P programs.

  • Gaobot.LTL creates copies of itself in the shared directories My Downloads, My Shared Folder and Program Files\Lime Wire\Shared belonging to several P2P programs such as Lime Wire under the following names:
    2 FIND MP3 8.2.0.EXE
    2PAC - TUPAC FULL ALBUM BATTLE BEFORE HIS DEAD.EXE
    ADOBE INDESIGN CS 2.EXE
    ADOBE KEYGEN FOR PHOTOSHOP INDESIGN INCOPY SERIAL CRACK.EXE
    ADOBE PHOTOSHOP CS 2.EXE
    AUTOCAD 2002 CRACK.EXE
    AUTOCAD 2004 CRACK.EXE
    AUTOCAD 2005 CRACK.EXE
    AUTOCAD 2006 CRACK.EXE
    BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.EXE
    COUNTER STRIKE - CS FULL VERSION.EXE
    COUNTER STRIKE KEYGEN WORKING FOR ONLINE STEAM.EXE
    CREDIT CARD GENERATOR.EXE
    FIFA 2006 FULL WITH CRACK.EXE
    FIFA 2007 FULL WITH CRACK.EXE
    FLASH 8.EXE
    FREE SMS BOMBER.EXE
    GOOGLE HACK TUTORIAL FOR BEGINNERS.EXE
    HALFLIFE 2 WORKING STEAM CRACK.EXE
    HOTMAIL ACCOUNT HACKER IN 30 MINUTES.EXE
    HOTMAIL HACKER.EXE
    HOTMAIL_ACCOUNT_SNIFFER.EXE
    HOTMAILHACKER V1.0.EXE
    IP CHANGER.EXE
    MICROSOFT OFFICE ACTIVATION CRACK.EXE
    MICROSOFT OFFICE PROFESSIONAL CRACK.EXE
    MICROSOFT OFFICE PROFESSIONAL SERIAL.EXE
    MICROSOFT OFFICE PROFESSIONAL UNIVERSAL CRACK WITHOUT SERIAL.EXE
    MICROSOFT OFFICE UNIVERSAL ACTIVATOR V1.0.EXE
    MSN HACKER - PASSWORD STEALER.EXE
    NORTON ANTI VIRUS FULL NEWEST VERSION.EXE
    NORTON ANTIVIRUS 2005 CRACK.EXE
    NORTON ANTIVIRUS 2006 CRACK.EXE
    NORTON ANTIVIRUS CRACK.EXE
    NORTON FIREWALL 2006 CRACK.EXE
    PORN.EXE
    PORN_ACCOUNT_CRACKER.EXE
    PORN_ACCOUNT_HACKER.EXE
    PSX2 - PLAYSTATION 2 EMULATOR.EXE
    TOON BOOM.EXE
    UNIVERSAL GSM UNLOCKER FOR REMOVING SIMLOC (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).EXE
    WINRAR 4 BETA.EXE
    YAHOO_CRACKER.EXE
    YAHOO_HACKER.EXE
    YAHOO_MAIL_CRACKER.EXE
    ZONEALARM CRACK (KEYGEN).EXE
  • Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers, thinking that they are useful computer programs. However, they will actually download a copy of the worm to their computers.
  • When the downloaded file is run, such computers will be affected by Gaobot.LTL.

 

3.- Transmission across networks.

  • If the affected computer belongs to a network, Gaobot.LTL attempts to access the network shared resources.
  • In order to do so, it uses passwords or user names that are typical or easy to guess.
  • If successful, Gaobot.LTL makes copies of itself to the shared resources.

 

4.- Transmission via instant messaging programs and chat.

Gaobot.LTL spreads via AIM (AOL Instant Messenger) and IRC. It follows the routine below:

  • The user receives an instant message with a link.
  • It it is clicked, Gaobot.LTL is downloaded to the affected computer.
  • Gaobot.LTL sends other messages to all the addresses included in the AOL Instant Messenger Contact List.

 

5.- Transmission via email.

  • Gaobot.LTL reaches the computer in an email message that contains an attached file.
  • The computer is affected when the user runs the attached file.
  • Gaobot.LTL searches for email addresses in several files of the computer.
  • Then, it sends itself out to the addresses it has gathered.

Further Details  

Gaobot.LTL is written in the programming language Visual C++ v6. This worm is 53,904 bytes in size, and it is compressed with PE_Patch.