Win32/Bobax [Threat Name] go to Threat

Win32/Bobax.A [Threat Variant Name]

Category virus,worm
Short description

Win32/Bobax.A is a worm that spreads by exploiting a vulnerability in Microsoft Windows .


When executed, the worm copies itself into the %system% folder using a random filename.

A DLL file is dropped in the %temp% folder.

Its name is random. Size of the file is 17920 B .

The file is executed as a new thread in the explorer.exe process.

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]

Names of the entries created are random.

The entries contain path to the executable of the worm .


The worm generates various IP addresses.

It connects to remote machines and tries to exploit the LSASS vulnerability (CAN-2003-0533) .

If it succeeds, a copy of the worm is retrieved from the attacking machine using HTTP protocol.

Other information

Using HTTP protocol, the worm connects to the following addresses:


It can be controlled remotely.

It can send various information about the infected computer to an attacker.

The worm opens a random port.

An HTTP server is listening there.

Please enable Javascript to ensure correct displaying of this content and refresh this page.