Worm variant known as Phatbot, what you should know!

Question

Phatbot (aka W32.HLLW.Gaobot.), a family of variants attacking the net is taking no hostages!

Answer

This question was answered on March 17, 2004. Much of the information contained herein may have changed since posting.

Be on the lookout for the explosion of a new variant to an old virus, 'Phatbot'! This trojan uses peer-to-peer networking abilities to wreak havoc. Phatbot has several aliasis, such as, Agobot.FO, Gaobot, Backdoor.Agobot.3.x, & W32.HLLW.GAOBOT.XX (XX=several different variations). The variant has backdoor functionality that is far more dangerous than earlier versions. It uses multiple vulnerabilities to spread and allows hackers to access infected computers through IRC.

Although the variant family has only reached a level 2 risk at SARC, security experts believe that this attack is capable of causing significant damage to users world wide. The worm has the capability to polymorph on install to avoid anti-virus signatures as it spreads from system to system. The worm also steals logins, passwords, and gaming product ID's. The following systems are effected: Windows 2000, 95, 98, Me, NT, Server 2003, & XP.

The email message has the following characteristics:

Subject, From, & Name Of Attachment: N/A

Security experts strongly urge all users to verify your OS software and all anti-virus definitions are up-to-date. By blocking any backdoor weaknesses you decrease your chances for infection.

Note: This variant also has the functionality to steal Windows Product ID's.

You can get updates to all Microsoft OS's at:

http://windowsupdate.microsoft.com

You can get more technical information about this outbreak at:

http://www.f-secure.com/v-descs/agobot_fo.shtml

&

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html

Author

Posted by Michal of Data Doctors on March 17, 2004