Win32/Bobax [Threat Name] go to Threat

Win32/Bobax.A [Threat Variant Name]

Category virus,worm
Short description

Win32/Bobax.A is a worm that spreads by exploiting a vulnerability in Microsoft Windows .

Installation

When executed, the worm copies itself into the %system% folder using a random filename.


A DLL file is dropped in the %temp% folder.


Its name is random. Size of the file is 17920 B .


The file is executed as a new thread in the explorer.exe process.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]

Names of the entries created are random.


The entries contain path to the executable of the worm .

Spreading

The worm generates various IP addresses.


It connects to remote machines and tries to exploit the LSASS vulnerability (CAN-2003-0533) .


If it succeeds, a copy of the worm is retrieved from the attacking machine using HTTP protocol.

Other information

Using HTTP protocol, the worm connects to the following addresses:

  • butter.dns4biz.org
  • cheese.dns4biz.org
  • kwill.hopto.org
  • chilly.no-ip.info

It can be controlled remotely.


It can send various information about the infected computer to an attacker.


The worm opens a random port.


An HTTP server is listening there.

Please enable Javascript to ensure correct displaying of this content and refresh this page.