Weekly Report on Viruses and Intruders – Gaobot.GLV and Oscarbot.F Worms; Sober.W Trojan

Sober.W is a Trojan whose only purpose would seem to be mass-mailing messages with content related to the extreme right-wing movement in Germany, alluding to the Second World War and its 60th anniversary. As is usual with this type of malware, it cannot spread by itself but needs to be distributed manually through other channels. Once installed, Sober.W starts collecting email addresses from the affected computer and sends them one of the 30 mails it includes in its code, at random. The Trojan also edits several registry keys to ensure it is executed on every system startup. It has been designed to stop sending spam at May 23rd, and then start trying to download files from a series of URLs it has embedded on its code.

Oscarbot.F is a worm with backdoor characteristics, designed to spread through AOL Instant Messenger (AIM), a popular instant messaging application, by sending messages to all the addresses in the Contact List. These messages include an URL which, on accessing it, downloads a copy of this worm or other kind of malware to the affected computer. As is usual with bots, once installed on the targeted system, Oscarbot.F connects to an IRC server, waiting for orders from a remote user to download and run files, spread via AIM, etc. Finally, the worm edits certain registry keys to ensure that it is run every time the system starts up.

The main purpose of Gaobot.GLV is to end processes belonging to several security tools, such as antivirus programs and firewalls, prevent users from accessing several web pages, mainly belonging to antivirus and computer security companies (by modifying the HOSTS file in the affected computer), and install a TFTP server. It also has a tool designed to hide its actions on the affected computer, which, however, does not function properly on Window XP systems.

Gaobot.GLV spreads both across the Internet and shared network resources. In the first case, it tries to exploit the LSASS, RPC DCOM, WINS, Workstation Service Buffer Overrun and Buffer Overrun in SQL Server 2000 Resolution Service vulnerabilities as well as trying to access computers with SQL Server installed and blank passwords. In the case of shared network resources, Gaobot.GLV attempts to take advantage of weak passwords or user names (passwords that are typical or easy to guess). If successful, Gaobot.GLV makes copies of itself to the shared resources.

To avoid infection by this malware or any other malicious code, Panda Software recommends users to keep their antivirus software updated. Panda Software clients can already find updates for detecting and disinfecting these malware specimens available to them