W32.HLLW.Gaobot

[DVOM]

Does anyone know how this worm actually gets into a network in the first place? All Symantec (and any other google hits) has to say is how it spreads once it's in the network.

It showed up on 2 machines last Thursday in the form of sysldr.32.exe. One of the machines had registry entries while the other didn't. Both were easily cleaned. The next day it showed up on the machine that didn't have registry entries again. This time in the form of ctkayv.exe, which doesn't get any hits in google.
Once again it didn't make it to the registry.

I upgraded the firewall to NIS and haven't had a problem since.

BTW, one machine never recieves any email and the other hadn't gotten any in over 3 weeks.

[shiva_42]

Assume that it MUST have come via an internet connection, but not necessarily email. Symantec indicates that BearShare, Kazaa, and others may be guilty of carrying this worm (among others).

There is actually more information here: http://securityresponse.symantec.com...lw.gaobot.html

[jerryctx]

You mention you upgraded the firewall but you never specifically say you run an anti-virus. On the off-chance someone assumes a firewall can substitute for an a-v with real-time protection, a firewall will prevent introduction of malware only from ports that are denied access. Its possible to get a virus from any open port. For example, SQL servers have been used to propagate viruses.

[DVOM]

Thanks people, I guess I should have mentioned all the machines are running NAV which I update 3-4 times a week at the "Download English Updates" page. It was the NAV that caught it on the one machine, a subsequent scan on the other machines caught the other files. (Don't know why NAV didn't see it on the other machine)

Nobody downloads from Kazaa or other p2p servers here at work. (at least on these two machines) On the off chance I sent it to myself from home, I scanned my home machine and it came up clean.

No problems since those 2 instances so I guess I've got it under control.