First MS04-011 Worm emerges: W32/Gaobot.worm.ali

Symantec has also classified this first MS04-011 variant as W32.Gaobot.AFJ.  The "good news" is that it is not an active threat as the dependant IRC server has been shutdown, however the "bad news" is that it provides a model for more crafting work on MS04-011 exploitable worms.

First MS04-011 Worm emerges: W32/Gaobot.worm.ali
http://vil.nai.com/vil/content/v_125006.htm
http://www.incidents.org/diary.php?date=2004-04-28
http://www.incidents.org/diary.php?date=2004-04-27

At the time of this writing, there are more than 900 variants of the Gaobot virus in existence.  The source code for Gaobot was posted to various websites resulting in many new variants being created each week.  

W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability  (LSASS Vulnerability (CAN-2003-0533)). 

This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available.  However, it is presumed that other variants will likely follow soon, which are functional.  Details of those variants will likely vary from this one.

For maximum protection against the Gaobot family, users are recommended to:

* use the latest engine/DATs combination
* ensure the scanning of compressed files is enabled
* keep Windows systems patched by using Windows Update
* ensure weak username/passwords are not used
* run a personal desktop firewall application

The virus contains lots of remote access functionality, including:

* Create/Remove services
* Denial of service attack
* FTP/HTTP functions (upload, download files, etc)
* IRC functions
* Retrieve system information (RAM, CPU, Disk Space)
* Secure/insecure Windows shares
* Shutdown/reboot/logoff computer
* Sniffer
* Steal CD and product keys for various products
* Terminate running processes