W32.Gangbot


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 22 Jan 2007
Damage: Medium

Characteristics: W32.Gangbot is a worm that opens a backdoor and automatically connects to an IRC server. IRC servers are known as Internet Relay Chat. It is also a program or software that usually spreads and comes from several chat sites. All platforms of windows are vulnerable to this virus, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It controls the compromised computer by using Internet Relay Chat which is done remotely or locally. There are a lot of avenues through which this worm spreads.

More details about W32.Gangbot

Gangbot is one of the families of worms spreading with backdoor capabilities. It steals private or confidential files or data from the compromised computer; thus, producing several effects such as allowing remote user connection, logging key strokes, connecting itself automatically to the internet, concealing from the user while staying resident in the background. The worm may steal passwords for websites, accessed FTP servers, and instant messenger applications like AOL Instant Messenger, ICQ Messenger, MSN Messenger and Yahoo! Messenger. It can also be destructive, having the ability to also download malware on a compromised computer. Reports also say that it changes registry values to reduce system security. Once executed, it searches for vulnerable SQL servers and automatically sends an HTML link to available contacts on instant messenger programs. It exploits the Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability (BID 20096) and RealVNC Remote Authentication Bypass Vulnerability (BID 17978) in order for the worm spread.

Experts have categorized the W32.Gangbot program as malware because of the danger it poses to the computer. This worm program is a serious threat to the user’s privacy and security as the hacker can gain administrative privileges over the computer without the user’s consent. Moreover, the influence gained by the intruder over the computer can be used for malicious purposes such as the downloading and execution of malicious codes and using the computer as a tool for initiating bot and DOS attacks.