As of late Wednesday afternoon, no major antivirus company had listed the worm as more than a "low" risk.
Craig Schmugar, virus researcher for Network Associates Inc.s McAfee Avert research group, said the interesting variant began appearing on Monday, especially in the Asia-Pacific region, but has since toned down. There have been several variations since the initial attack, Schmugar said, some more dangerous than others. The Santa Clara, Calif. company are keeping a close eye on them, but maintaining their risk assessment of "low."
Adding to the confusion is a bewildering variety of names used for the strain, and numerous variations during the last few days. Few companies use the name Phatbot. Most call it a variation of the longstanding Gaobot or Agobot family, and sometimes as Polybot. Symantec Corp.s write-up of the worm refers to it as Gaobot.RF, declaring it to be variation number 172.
Like most of the other recent threats, Phatbot, or Gaobot, spreads through a variety of vulnerabilities in Windows, some quite old, others more recent. When the worm is run, it sets the system to autostart the worm at boot time; attempts to terminate security software running on the computer; and probes network shares in an attempt to spread itself. In addition, it seeks to terminate processes associated with other worms.
Phatbot also opens a connection to a specific IRC channel with its own built-in client and awaits commands. Reports from security analysts have differed on whether this IRC client has been used to create a "botnet" of systems for a distributed denial of service attack, and even how large a network it can practically form.
According to Ken Dunham, director of malicious code at iDEFENSE Inc., of Reston, Va., there are "at least four Phatbot variants now. "Weve been tracking this entire situation," he said in a Wednesday posting on the SecurityFocus Incidents list. "Its not a matter of how many there are but which networks end up being compromised. ... And it is growing."