W32.Gaobot.BAJ is a worm that spreads through shared resources and is capable of using Mydoom's backdoor component to spread to other computers. The worm also allows an attacker to gain unauthorized access to a victim's computer through a predetermined IRC channel.
W32.Gaobot.BAJ appeared on 2/8. When executed, W32.Gaobot.BAJ will perform the following tasks:
- Manually copy to the "% System% wmon32.exe" folder. Note: "% System%" is a variable and the worm can manually determine the location of the system directory and clone it. By default, the location of the system directory is: C: WindowsSystem (Windows 95/98 / Me); C: WinntSystem32 (Windows NT / 2000); or C: WindowsSystem32 (Windows XP).
- The following worm registry key can be automatically run when the system starts.
- Connect to a remote IRC server at port 6667, and listen for commands from the attacker. Commands include: loading and executing files; Network scan; List, stop and start processes; File system control (delete, create and list files); Initiated Denial of Service (DoS) attacks; Port transfer; Steal system information and send e-mail to attackers.
- Scans computers on the network and tries to connect to shared resources using the list of available usernames and passwords. If successful, the worm will spread to another machine.
- Scan your computer for infections of Mydoom variants. If these variants are found, W32.Gaobot.BAJ will use Mydoom's backend component to copy to another computer.
- Steals the following game CD keys: & nbsp; Command & amp; Conquer Generals, FIFA 2003, Need for Speed Hot Pursuit 2, Soldier of Fortune II - Double Helix, Neverwinter, Rainbow Six III RavenShield, Battlefield 1942 Road to Rome, Project IGI 2, Counter-Strike, Unreal Tournament 2003, Half-Life.
