Steven L Umbach
This is from SARC http://www.sarc.com/ and it sounds a lot like what you may have.
The link also includes removal instructions.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.azt.html
Your computers could becoming infected and reinfected from either the internet or
infected computers on your network. Make sure your firewall is correctly configured
and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
using the latest virus definitions as of today from your vendors website. Tools such
as TCPView from Sysinternals can help in determining what computer or computers are
infecting other computers on the network.
You should isolate infected computers by disconnecting them from the network, then
repairing them, and patching them with the latest critical updates from Windows
Updates. Being current on critical updates may have prevented your problem in the
first place. Note that installing critical updates does not help an already infected
computer and ideally a repaired computer would have the drive reformatted and a fresh
install/image of the operating system but that is your call. It would also be best to
not put repaired computers back on the network until all infected computers have been
removed, though again that is your call and a properly patched computer may not get
reinfected. A temporary solution to help protect computers on the network that do not
offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
the network adapter to enable IP filtering for TCP permit only and add no ports to
the list. Be sure to disable tcp/ip filtering when done as it will interfere with
remote access to a computer for things like remote Computer Man.
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798[/url] -- tcp/ip filtering
I guess you learned your lesson on not using any or weak passwords and the trouble
that it can cause. It would be wise to enforce complex passwords on the network in
Domain Security policy and also have an account lockout policy with a threshold of no
less than ten bad attempts. This can go a long way to protecting your network. ---
Steve
[url]http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx[/url] -- Microsoft
security recommendations for small businesses.
"Gary" wrote in message
news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...[color=blue]
> We seem to have contracted a version of the Gaobot in our company. Some pc's
> (interestingly enough, all Windows 2000) keep getting hit with a
> systemdll.exe file by an unknown source. I've deleted the file from all the
> found locations, did a search through the registry and deleted all instances.
> Everything is fine for a while, but then it appears again. I tried using
> the Gaobot repair tool, but it comes up empty. What the file appears to do
> is use or create network shares, it's favorites so far have been WINNT and
> SYSTEM32, but it also uses print shares by creating a copy of an existing
> printing on the pc and creating a share for it. I've also seen where it
> creates a share on a user's My Documents folder, the C drive, and the
> SYSTEM32\SPOOL\DRIVERS. Here are the share names:
> C = C$ (default share set up by windows)
> WINNT = ADMIN$ (default share set up by windows)
> SYSTEM32\SPOOL\DRIVERS = print$
> My Document = My Document
> It will also create a randomly named service that shows up under Manage (ie.
> aerwse) that will either be set up as Manual run or Disabled which I've
> searched through the registry for and delete.
> It looks like the process is being run by user (pc name\Administrators or NT
> AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
> was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
> those to a more secure password, but I can't do anything with NT
> AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
> be happy to supply it and as always thanks in advance for any help.[/color]
The link also includes removal instructions.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.azt.html
Your computers could becoming infected and reinfected from either the internet or
infected computers on your network. Make sure your firewall is correctly configured
and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
using the latest virus definitions as of today from your vendors website. Tools such
as TCPView from Sysinternals can help in determining what computer or computers are
infecting other computers on the network.
You should isolate infected computers by disconnecting them from the network, then
repairing them, and patching them with the latest critical updates from Windows
Updates. Being current on critical updates may have prevented your problem in the
first place. Note that installing critical updates does not help an already infected
computer and ideally a repaired computer would have the drive reformatted and a fresh
install/image of the operating system but that is your call. It would also be best to
not put repaired computers back on the network until all infected computers have been
removed, though again that is your call and a properly patched computer may not get
reinfected. A temporary solution to help protect computers on the network that do not
offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
the network adapter to enable IP filtering for TCP permit only and add no ports to
the list. Be sure to disable tcp/ip filtering when done as it will interfere with
remote access to a computer for things like remote Computer Man.
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798[/url] -- tcp/ip filtering
I guess you learned your lesson on not using any or weak passwords and the trouble
that it can cause. It would be wise to enforce complex passwords on the network in
Domain Security policy and also have an account lockout policy with a threshold of no
less than ten bad attempts. This can go a long way to protecting your network. ---
Steve
[url]http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx[/url] -- Microsoft
security recommendations for small businesses.
"Gary"
news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...[color=blue]
> We seem to have contracted a version of the Gaobot in our company. Some pc's
> (interestingly enough, all Windows 2000) keep getting hit with a
> systemdll.exe file by an unknown source. I've deleted the file from all the
> found locations, did a search through the registry and deleted all instances.
> Everything is fine for a while, but then it appears again. I tried using
> the Gaobot repair tool, but it comes up empty. What the file appears to do
> is use or create network shares, it's favorites so far have been WINNT and
> SYSTEM32, but it also uses print shares by creating a copy of an existing
> printing on the pc and creating a share for it. I've also seen where it
> creates a share on a user's My Documents folder, the C drive, and the
> SYSTEM32\SPOOL\DRIVERS. Here are the share names:
> C = C$ (default share set up by windows)
> WINNT = ADMIN$ (default share set up by windows)
> SYSTEM32\SPOOL\DRIVERS = print$
> My Document = My Document
> It will also create a randomly named service that shows up under Manage (ie.
> aerwse) that will either be set up as Manual run or Disabled which I've
> searched through the registry for and delete.
> It looks like the process is being run by user (pc name\Administrators or NT
> AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
> was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
> those to a more secure password, but I can't do anything with NT
> AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
> be happy to supply it and as always thanks in advance for any help.[/color]