At work we got hit by a rather nasty virus. I thought I would get this out there in case anyone else is being hit by it.
We have identified that the virus is a version of GaoBot. GaoBot spreads primarily through attacking systems vulnerable to one of many RPC overflow issues that Microsoft has issued pathces for. In addition the virus begins guessing passwords for network accounts is encounters resulting in the account lockout issues we have been expereincing. The virus also copies it self to any available network share in the hope that someone will execute. Symatec has provided a clean up tool that removes the virus and clean out remaining registry entries and can be downloaded seperately HERE
In the event that a machine is suspected of having the virus the following procedure must be followed to disinfect the device:
- Disconnect the machine from the network
- Stop the virus from running by rebooting into safe mode OR killing the lnksvc32.exe process.
- Verify the virus is not in memory by looking at task manager for process lnksvc32.exe.
- Verify the virus is not installed as a service by looking at task manager for process “hsgohss” with an executable path of “\\ipaddress\d$\lnksvc32.exe”
- Remove the registry keys currently known to be associated with the virus
HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\run\lekio startup
HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\run services\lekio startup
- Reboot the computer and validate that virus is not in memory by looking at task manager for process lnksvc32.exe.
- Update the Norton Antivirus Software by placing the virus definition update file in the appropriate directory based on your version and configuration of the Symantec AntiVirus product. (e.g., c:\documents and settings\all users\application data\symantec\norton antivirus corporate edition\7.5)
- You must use at least vd1c7811.xdb version of the defs to catch the virus. (1/28/05)
- Instructions for installation (Note that these definitions are not available from LiveUpdate at this time)
- Copy the .xdb file to one of the following destinations, depending on the version of Symantec AntiVirus and the operating system:
- For antivirus servers on Windows operating systems, the default is C:\Program Files\SAV\ for Symantec AntiVirus 8.x, or C:\Program Files\Symantec AntiVirus for Symantec AntiVirus 9.x.
- For clients running Windows 2000/XP, the default is either C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\ or C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\.
The Application Data folder may be hidden. To show hidden and system folders, read the document How to show hidden files and protected operating system files in Windows.
- For clients running Windows NT 4.0, the default is C:\WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\.
- For clients running Windows 98/Me, the default is C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\ or C:\Program Files\Symantec AntiVirus\.
- For version NAV 7.X clients definitions are the vdb files on ftp.symantec.com
- Copy file into c:\documents and settings\all users\application data\Symantec\Norton Antivirus\7.5
- Using the Services Control panel, stop AND restart all Symantec AntiVirus services (this can include a service known as DefWatch)
- Wait a minute or two then launch the Symantec AntiVirus Client Security utility and verify that the virus definition date is 1/28/05
- Verify NAV is running the updated definitions. This may take a minute or two to be reflected on the screen.
- Manually install the Microsoft patches mentioned below:
- The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
- The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
- The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
- The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
- The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
- The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
- The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
- The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445.
- Scan the c:\%systemroot%\system32 directory for viruses. You should find the Randex virus in this path unless it was already removed. Other copies of Randex may be found on the system with a later scan.
- Install MBSA 1.2 and run a scan. Validate the output from the scan. We are currently focusing on Windows Security Updates. Check which updates are not installed.
- Validate the information returned by MBSA by connecting to Windows Update and installing Critical Patches. Document any differences to share with other teams.
- After all patches are installed kickoff a full system scan and check the output when complete.
- If a Hosts file is required with any special entries check it. The hosts file may have been quarantined by NAV.
- Check for any user accounts that may have been locked out that may need to be re-enabled
The list (below) of Dragon IDS signatures as named by Enterasys are normally associated together in a correlated incident that would indicate a host infected with Gaobot:
This Appears to be a new varient of Gaobot.
- Check the local hosts file on the system (c:\windows\system32\drivers\etc) for unusual entries, including redirects for security website such as Symentec, WindowsUpdate, McAfee, etc. As a result, infected machines are unable to get to Symantec and other sites because of the local hosts file being edited.
- Also you can look for lnksvc32.exe in taskmanager or on the file system.