Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||W32/Gaobot.worm.ab Backdoor.Agobot.3.f, WORM_AGOBOT W32.HLLW.Gaobot|
It uses the RPC DCOM and WebDAV vulnerabilities in order to spread to as many computers as possible. It connects to an IRC server and waits for control commands. It allows to obtain information on the affected computer, run files, etc.>>>
|Detection updated on:||Sept. 10, 2003|
|Yes, using TruPrevent Technologies
Gaobot.L is a worm with backdoor characteristics that infects only Windows XP/2000/NT computers. Gaobot.L exploits the RPC DCOM and WebDAV vulnerabilities to spread to as many computers as possible.
Gaobot.L also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess.
Once it is run, Gaobot.L connects to a specified IRC server through the port 9900 and waits for control commands. As a backdoor, it allows to obtain information on the affected computer, run files, launch distributed denial of service (DDoS) attacks, upload files by FTP, etc. It also ends processes belonging to Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.
If you have a Windows XP/2000/NT computer, it is highly recommendable to download the security patches for the RPC DCOM and WebDAV vulnerabilities from the Microsoft website.
A clear indication that Gaobot.L has reached the computer is that the network traffic increases on the ports 135 and 445, as the worm attempts to exploit the RPC DCOM vulnerability.