Win32/Bobax [Threat Name] go to Threat
Win32/Bobax.A [Threat Variant Name]
Category | virus,worm |
Short description
Win32/Bobax.A is a worm that spreads by exploiting a vulnerability in Microsoft Windows .
Installation
When executed, the worm copies itself into the %system% folder using a random filename.
A DLL file is dropped in the %temp% folder.
Its name is random. Size of the file is 17920 B .
The file is executed as a new thread in the explorer.exe process.
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
- [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]
Names of the entries created are random.
The entries contain path to the executable of the worm .
Spreading
The worm generates various IP addresses.
It connects to remote machines and tries to exploit the LSASS vulnerability (CAN-2003-0533) .
If it succeeds, a copy of the worm is retrieved from the attacking machine using HTTP protocol.
Other information
Using HTTP protocol, the worm connects to the following addresses:
- butter.dns4biz.org
- cheese.dns4biz.org
- kwill.hopto.org
- chilly.no-ip.info
It can be controlled remotely.
It can send various information about the infected computer to an attacker.
The worm opens a random port.
An HTTP server is listening there.