Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

GAOBOT Worm reinfecting computers

0 views
Skip to first unread message

Lorrie

unread,
Jun 15, 2004, 8:47:55 AM6/15/04
to
The GAOBOT worm which has been infecting and reinfecting computers.
We have not been successful in cleaning numerous computers. We start
the systems in safe mode make sure that the admin account has a secure
password update all critical updates on system run both of the
fxgaobot tools we run the latest version of the stinger program make
sure that our antivirus program is up to date on definitions and run a
full scan of the computer but the worm seems to make its way back into
the computer!!! HELP

Lorrie Amerson
Eastern Virginia Medical School
LAN Administrator
amer...@evms.edu
fax: 757-446-5702

John McGaw

unread,
Jun 15, 2004, 9:36:22 AM6/15/04
to
"Lorrie" <amer...@evms.edu> wrote in message
news:7fa1f531.04061...@posting.google.com...

Some more information would be useful. You say that "but the worm seems to
make its way back into the computer" but just as important might be WHEN the
seeming reinfection occurs. At reboot? Soon after reboot? At some random
time days afterward? Also, what operating system(s) are you running on the
machines? Firewall in place? Networkwide internet firewall or individual
firewalls on each computer? Assuming that the machines involved are
networked, has every machine on the network been checked including laptops
that come and go and home machines that might be accessing your network
remotely been thoroughly checked?
--
John McGaw
[Knoxville, TN, USA]

Return address will not work. Please
reply in group or through my website:
http://johnmcgaw.com


George Hester

unread,
Jun 15, 2004, 1:59:17 PM6/15/04
to
Get it out of the Run keys.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.alu.html

There is no environment variable %SYSTEM% from this page. It is most likely %SYSTEMROOT%.\system32. If need be put a dummy file file svhost.exe in the location %SYSTEMROOT\system32 and make it read-only. Also remove all NTFS permissions on it. That should stop it. Or of course follow the removal instructions.

--
George Hester
__________________________________


"Lorrie" <amer...@evms.edu> wrote in message news:7fa1f531.04061...@posting.google.com...

Kevin

unread,
Jun 15, 2004, 8:48:45 PM6/15/04
to
Disable your network completely! The computers are re-infecting each other.
With the network completely down, follow the instructions at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.alu.html


--

Kevin


"Lorrie" <amer...@evms.edu> wrote in message
news:7fa1f531.04061...@posting.google.com...

Lorrie

unread,
Jun 16, 2004, 2:08:59 PM6/16/04
to
"John McGaw" <now...@inparticu.lar> wrote in message news:<#Pe#92tUEH...@TK2MSFTNGP11.phx.gbl>...

The systems show up the next day. We are running windows 2000 and
windows xp workstations and we have windows 2000 windows 2003 servers
running active direcotry. We do have a network wide firewall no
individual firewalls. We have checked all computers on campus. we
have also disabled ports which our students use for their laptops
which has taken them out of the loop. They have been requested to
bring laptops in to be scanned and tested.
We are disabling windows messenger on systems also. Thanks for any
help

0 new messages