W32.Gobot.A


Aliases: Backdoor.Gobot.u, Exploit-Mydoom, W32/Arghast.worm, Win32.HLLW.Arghast, W32/Gobot-E
Variants: Backdoor.Win32.Gobot.ae, Backdoor:Win32/Gobot.AE, Win32/Arghast.A, W32/Gobot.E.worm, BKDR_GOBOT.DF

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: North America, Europe, Africa
Removal: Hard
Platform: W32
Discovered: 06 May 2004
Damage: Medium

Characteristics: A Worm with Trojan Horse functionality, this threat exploits the vulnerability of file sharing networks, Internet Relay Chat servers, and weakly protected network shares to deploy its infection. The W32.Gobot.A is known for taking advantage of the unprotected backdoor opened in a system infected by the Mydoom malware family. This means that majority of infections are made on computer systems that have already been compromised by another Worm variant.

More details about W32.Gobot.A

Like majority of Worm families, the W32.Gobot.A relies on the successful installation of its trigger file into the system folder directory of the main hard drive. It also modifies specific key values of the Windows Registry with the intention of automatically loading together with the operating system at every boot up or restart sequence. As part of its initial action to infect a vulnerable computer system, the W32.Gobot.A will secretly terminate the active processes of security programs and system critical monitoring tools. This routine is done to prevent the computer user from detecting its presence and preventing its payload delivery. The W32.Gobot.A will then scan the infected machine for the presence of any network shares and use it to compromise the network environment.

The W32.Gobot.A will use the port 3127 to execute its backdoor functionality. This will allow the malware to silently wait in the background for additional instructions from the malicious author. The undetected backdoor used by the W32.Gobot.A can serve as a gateway for the execution of UDP, SYNC, HTTP, and ICMP flooding attacks on various servers. This communication portal can also be used to connect to remote servers and download more malicious codes into the compromised machine. The W32.Gobot.A has been observed to insert its codes into all executable files saved in shared folders of Peer to Peer applications.