Backdoor.Gobot.u, Exploit-Mydoom, W32/Arghast.worm, Win32.HLLW.Arghast, W32/Gobot-E
Backdoor.Win32.Gobot.ae, Backdoor:Win32/Gobot.AE, Win32/Arghast.A, W32/Gobot.E.worm, BKDR_GOBOT.DF
Category: Computer Worm
Active & Spreading
North America, Europe, Africa
06 May 2004
A Worm with Trojan Horse functionality, this threat exploits the vulnerability of file sharing networks, Internet Relay Chat servers, and weakly protected network shares to deploy its infection. The W32.Gobot.A is known for taking advantage of the unprotected backdoor opened in a system infected by the Mydoom malware family. This means that majority of infections are made on computer systems that have already been compromised by another Worm variant.
W32.Gobot.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Gobot.A from your computer.
More details about W32.Gobot.A
Like majority of Worm families, the W32.Gobot.A relies on the successful installation of its trigger file into the system folder directory of the main hard drive. It also modifies specific key values of the Windows Registry with the intention of automatically loading together with the operating system at every boot up or restart sequence. As part of its initial action to infect a vulnerable computer system, the W32.Gobot.A will secretly terminate the active processes of security programs and system critical monitoring tools. This routine is done to prevent the computer user from detecting its presence and preventing its payload delivery. The W32.Gobot.A will then scan the infected machine for the presence of any network shares and use it to compromise the network environment.
The W32.Gobot.A will use the port 3127 to execute its backdoor functionality. This will allow the malware to silently wait in the background for additional instructions from the malicious author. The undetected backdoor used by the W32.Gobot.A can serve as a gateway for the execution of UDP, SYNC, HTTP, and ICMP flooding attacks on various servers. This communication portal can also be used to connect to remote servers and download more malicious codes into the compromised machine. The W32.Gobot.A has been observed to insert its codes into all executable files saved in shared folders of Peer to Peer applications.