Archived from groups: microsoft.public.win2000.security (More info?)
We seem to have contracted a version of the Gaobot in our company. Some pc's
(interestingly enough, all Windows 2000) keep getting hit with a
systemdll.exe file by an unknown source. I've deleted the file from all the
found locations, did a search through the registry and deleted all instances.
Everything is fine for a while, but then it appears again. I tried using
the Gaobot repair tool, but it comes up empty. What the file appears to do
is use or create network shares, it's favorites so far have been WINNT and
SYSTEM32, but it also uses print shares by creating a copy of an existing
printing on the pc and creating a share for it. I've also seen where it
creates a share on a user's My Documents folder, the C drive, and the
SYSTEM32\SPOOL\DRIVERS. Here are the share names:
C = C$ (default share set up by windows)
WINNT = ADMIN$ (default share set up by windows)
SYSTEM32\SPOOL\DRIVERS = print$
My Document = My Document
It will also create a randomly named service that shows up under Manage (ie.
aerwse) that will either be set up as Manual run or Disabled which I've
searched through the registry for and delete.
It looks like the process is being run by user (pc name\Administrators or NT
AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
those to a more secure password, but I can't do anything with NT
AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
be happy to supply it and as always thanks in advance for any help.
We seem to have contracted a version of the Gaobot in our company. Some pc's
(interestingly enough, all Windows 2000) keep getting hit with a
systemdll.exe file by an unknown source. I've deleted the file from all the
found locations, did a search through the registry and deleted all instances.
Everything is fine for a while, but then it appears again. I tried using
the Gaobot repair tool, but it comes up empty. What the file appears to do
is use or create network shares, it's favorites so far have been WINNT and
SYSTEM32, but it also uses print shares by creating a copy of an existing
printing on the pc and creating a share for it. I've also seen where it
creates a share on a user's My Documents folder, the C drive, and the
SYSTEM32\SPOOL\DRIVERS. Here are the share names:
C = C$ (default share set up by windows)
WINNT = ADMIN$ (default share set up by windows)
SYSTEM32\SPOOL\DRIVERS = print$
My Document = My Document
It will also create a randomly named service that shows up under Manage (ie.
aerwse) that will either be set up as Manual run or Disabled which I've
searched through the registry for and delete.
It looks like the process is being run by user (pc name\Administrators or NT
AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
those to a more secure password, but I can't do anything with NT
AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
be happy to supply it and as always thanks in advance for any help.