What is it?
sagate.exe is a file associated with the W32.gaobot.BOW worm
What does it do?
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be controlled through IRC channels
When W32.Gaobot.BOW is executed, it performs the following actions:
Copies itself as %System%sagate.exe.
Note:
%System% is a variable that refers to the System folder. By default
this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32
(Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"Sagate Security Firewall" = "sagate.exe"
to the registry keys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
so that the W32.Gaobot.BOW runs when you start Windows.
Connects the backdoor component to the remote IRC server lud.b0b.org on
TCP port 7000 and awaits commands from a remote attacker.
The backdoor allows the attacker to perform some of the following actions on the compromised system:
- Download and execute files
- Scan the network
- List, stop, and start processes
- Control the file system (Delete, create, and list files)
- Launch Denial of Service (DoS) attacks
- Perform port redirection
- Start a socks proxy
- Start an FTP server
- Retrieve Windows product keys
Opens three randomly selected TCP ports.
Overwrites bystem%driversetchosts with the following lines:
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 trendmicro.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 nai.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 my-etrust.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 ca.com
- 127.0.0.1 www.ca.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 avp.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 www.viruslist.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 sophos.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 symantec.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 www.symantec.com
Attempts to copy itself to the following shares on randomly generated IP addresses:
using it's own list of user names and passwords
Sends HTTP GET messages to the following hosts (to measure connection speed):
- yahoo.co.jp
- www.nifty.com
- www.d1asia.com
- www.st.lib.keio.ac.jp
- www.lib.nthu.edu.tw
- www.above.net
- www.level3.com
- nitro.ucsc.edu
- www.burst.net
- www.cogentco.com
- www.rit.edu
- www.nocster.com
- www.verio.com
- www.stanford.edu
- www.xo.net
- de.yahoo.com
- www.belwue.de
- www.switch.ch
- www.1und1.de
- verio.fr
- www.utwente.nl
- www.schlund.net
Attempts to steal CD keys for a number of computer games
More info and Removal@symantec