W32.HLLW.Gaobot.JB

W32.HLLW.Gaobot.JB is a minor variant of W32.HLLW.Gaobot.BF that uses a different file name and is repacked with PECompact. It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
• The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.

When W32.HLLW.Gaobot.JB attempts to run on Windows 95/98/Me, it causes the error:
Error Starting Program
The PSAPI.DLL file is linked to missing export NTDLL.DLL:NtCreateProfile

Protection

• Initial Rapid Release version February 5, 2004
• Latest Rapid Release version February 5, 2004
• Initial Daily Certified version February 5, 2004
• Latest Daily Certified version January 15, 2008 revision 016
• Initial Weekly Certified release date February 11, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Medium