W32/Gobot-A

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.

Close the registry editor.

W32/Gobot-A is a peer-to-peer worm and mIRC backdoor Trojan.

W32/Gobot-A creates a randomly named copy of itself in the Windows system folder and updates the following registry entry with a randomly named value to run the worm when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Gobot-A creates multiple copies itself in the shared folders of several popular peer-to-peer applications, and may overwrite existing files in those folders.

W32/Gobot-A attempts to connect to a remote IRC server and join a specific channel. W32/Gobot-A then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

W32/Gobot-A scans the internet for machines listening on port 3127, the backdoor port opened by W32/MyDoom-A.