W32.Bobax.D

Risk Level 2: Low

Discovered:
May 19, 2004
Updated:
May 19, 2004 3:44:16 PM
Systems Affected:
Windows XP

SUMMARY

W32.Bobax.D is a worm that propagates by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). It allows compromised systems to be used as an SMTP relay.

TECHNICAL DETAILS

W32.Bobax.D is a worm that propagates by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). It allows compromised systems to be used as an SMTP relay.

When the worm is executed it copies itself to %System% as a randomly named .exe file.

It then attempts to delete all files in %temp% which begin with "~".

The worm drops a DLL to %temp% as ~[random characters].tmp. This DLL file contains the worm's main functionality. The worm injects this DLL into explorer.exe then it's own [random filename].exe process ends.

It also creates a registry entry so that the randomly named file dropped to %System% is executed on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[random string]"="%System%\[random filename].exe"

Then, it attempts to download one of the following files to gauge the speed of the internet connection available:
http://g.masn.com/7MEEN_US/EN/SETUPDL.EXE
http://ftp.newaol.com/aim/win95/Install_AIM.exe
http://download.microsoft.com/download/f/a/a/faa796aa-399d-437a-9284-c3536e9f2e6e/Windows2000-KB835732-x86-ENU.EXE
http://microsoft.com/download/6/1/5/615a50e9-a508-4d67-b53c-3a43455761bf/WindowsXP-KB835732-x86-ENU.EXE
http://download.yahoo.com/dl/mac/ymsgr_2.5.3-ppc_install.bin

The worm attempts to contact a remote webserver using a unique ID code, and some system information, as notification of infection. The worm will parse the response for commands to activate, which include:
Sending spam mail.
Stopping/Restarting scanning.
Downloading and executing a specified executable.
Updating itself.

The webserver contacted will be one of the following:
butter.dns4biz.org
cheese.dns4biz.org
kwill.hopto.org
chilly.no-ip.info
symatec.zapto.org
mcafee.myvnc.com
sophos.myftp.biz
kaspersky.3utilities.com

The worm also modifies the Hosts file, adding the following entry:

255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com

The worm opens a number of randomly selected ports, and awaits an incoming connection. The worm runs its SMTP server routine on these ports, leaving the infected machine open to be used as a spam relay.

The worm will scan randomly generated IP addresses on TCP port 5000. This port is used by the Universal Plug n Play Service, which is enabled by default on Windows XP. If a connection is made, the worm sends shellcode to the host in an attempt to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

If the exploit is successful, the code executed on the remote machine will force it to connect back to the attacking host via HTTP, on a random port, to download and execute the worm. The worm will be saved as SVC.exe.