PC & Mac
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
- The virus hides all files containing the word "sound" on the infected machine.
- Unusual ports that are opened.
- The following registry keys are added on an infected system:
- The virus hooks the following registry keys to run the worm at startup:
- The worm attempts to teminate the following processes:
The virus appends to the hosts
files in order to redirect the below URLs to the IP address 127.0.0.1. This will prevent users from accessing these websites to receive AV updates.
Infected hosts files are detected (and cleaned) as W32/Polybot.l!hosts
with the specified engine/DATs. Upon such a detection, users should follow the details specified in the Removal Instructions to remove the virus.
-- Update March 18th 2004 07:01 AM PST --
This threat has been deemed Low-Profiled due to media attention at the following site:
This variant belongs to a family of IRC bots based on W32/Gaobot.worm group. The worm bears the following characteristics:
The worm attempts to spread through default administrative shares:
The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:
IRC Bot component
The following actions can then be performed:
- connects to IRC server and joins channel
- enable/disable DCOM process on remote machine
- obtain system info
- download/upload/execute files on the remote system
- infected machine behaves like an FTP server
- manipulates file shares on infected machine
- creates a shell on the remote machine
- Updates itself with newer version
- shutdown/reboots the computer
- Kills a process or services on the victim's machine
- Flooders: phatwonk, phaticmp, HTTP, SYN, UDP
- Proxy server redirects HTTPS, SOCKS, GRE, TCP traffic
- searches for W32/Bagle@MM processes
The worm also uses the bot component to steal CD keys of the following games including Windows Product IDs:
Denial of Service component
The worm body contains the following URLs. In our testings, it attempts to send a series of data packets to these URLs in an attempt to flood it. The list is not exhaustive.
Remote Access component
The worm opens random ports on the system. During testing the following ports were observed : 3001, 22156
All Windows Users
Use specified DATs and engine for detection and removal:
Alternatively, users may reboot into Safe Mode prior to scanning/removing of the trojan.
Manual Removal Instructions
Additional Windows ME/XP removal considerations
© 2003-2013 McAfee, Inc.