Experts Debate Danger of Phatbot Worm | eWeek

Experts Debate Danger of Phatbot Worm

Écrit par
Larry Seltzer
Larry Seltzer
Mar 17, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Security discussion lists and reports were abuzz Wednesday with talk of a new worm, named “Phatbot,” that had spread to as many as hundreds of thousands of systems. But not all security experts agreed that the worm was widespread.

As of late Wednesday afternoon, no major antivirus company had listed the worm as more than a “low” risk.

Craig Schmugar, virus researcher for Network Associates Inc.s McAfee Avert research group, said the interesting variant began appearing on Monday, especially in the Asia-Pacific region, but has since toned down. There have been several variations since the initial attack, Schmugar said, some more dangerous than others. The Santa Clara, Calif. company are keeping a close eye on them, but maintaining their risk assessment of “low.”

Adding to the confusion is a bewildering variety of names used for the strain, and numerous variations during the last few days. Few companies use the name Phatbot. Most call it a variation of the longstanding Gaobot or Agobot family, and sometimes as Polybot. Symantec Corp.s write-up of the worm refers to it as Gaobot.RF, declaring it to be variation number 172.

Like most of the other recent threats, Phatbot, or Gaobot, spreads through a variety of vulnerabilities in Windows, some quite old, others more recent. When the worm is run, it sets the system to autostart the worm at boot time; attempts to terminate security software running on the computer; and probes network shares in an attempt to spread itself. In addition, it seeks to terminate processes associated with other worms.

Phatbot also opens a connection to a specific IRC channel with its own built-in client and awaits commands. Reports from security analysts have differed on whether this IRC client has been used to create a “botnet” of systems for a distributed denial of service attack, and even how large a network it can practically form.

According to Ken Dunham, director of malicious code at iDEFENSE Inc., of Reston, Va., there are “at least four Phatbot variants now. “Weve been tracking this entire situation,” he said in a Wednesday posting on the SecurityFocus Incidents list. “Its not a matter of how many there are but which networks end up being compromised. … And it is growing.”

/zimages/1/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/1/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.