Gaobot Infections
Posted on Monday, April 05 @ 12:01:49 CDT by dan
There are currently a significant number of computers infected with the Gaobot worm (also known as Agobot). This worm allows remote control of your computer, so it is urgent that if your computer is infected, that the worm be removed and the system be patched to prevent further infections. There are many variants of the Gaobot worm, but the three we are most commonly seeing are indicated by the presence of regsvc32.exe, navpaw.exe and/or nvsrvcx32.exe running in the task list (use control-alt-delete to view the process task list). If you are infected, you may have some luck using the TrendMicro online scanner, although the worm prevents communication with AV vendors sites. You can repair this manually by editing the file c:/windows/system32/drivers/etc/hosts and removing all of the entries for the AV sites. The only entry normally found in the file is for localhost. You can also contact your technical support person for assistance. Click on Read More below for further information.
Students on the Residence Hall network should contact the Housing Office technical support staff for assistance if unable to remove and repair the problem without assistance.
The worm can be removed by hand using the following:
references to c:windows should be replaced with c:winnt on Windows 2000 systems
Open a command prompt
CD c:/windows/system32
rename navpaw.exe nonavpaw.exe
rename nvsrvcx32.exe nonvsx32.exe
rename regsvc32.exe noregsvc32.exe
edit navpaw.exe (save an empty file)
attrib +r navpaw.exe
edit nvsrvcx32.exe (save an empty file)
attrib +r nvsrcvx32.exe
edit regsvc32.exe
attrib +r regsvc32.exe
edit c:/windows/system32/drivers/etc/hosts and repair as detailed above.
reboot
Use the TrendMicro scanner to scan your system for any other problems. Removal of other worms is vital as Gaobot can re-enter using the backdoors left by MyDoom and Bagle worms (which need to be removed anyway). Apply all of Microsoft's Critical Updates from Windows Update service. Check all accounts on your system and verify that they have a strong password on them.
You may also want to use regedit to remove the entries created by the worm in Local Machine/Software/Microsoft/Windows/CurrentVersion/Run and RunServices. You cannot do this until the worm has been stopped as it will close regedit. If you aren't familiar with using regedit, skip this step as you can make your system unusable if you are not careful. You can also remove the files that were renamed above one the system is rebooted. Read the Securing Your PC article for further information on make sure you have secure system.
Removing the Malware Entries in the HOSTS file
Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.
Open the following file using a text editor such as Notepad:
%System%\drivers\etc\HOSTS
Delete the following entries:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
Save the file HOSTS and close the text editor.
NOTE: %System% is the Windows System folder, which is usually C:\Windows\System or C:\WINNT\System32.
©GARI Srl - Via Forze Armate, 50 - 20147 Milano - Italy (1995-2002)