||||
Symantec.com > Security Response > Threats and Risks > W32.Bobax.C
PRINT THIS PAGE

W32.Bobax.C

Risk Level 2: Low

Printer Friendly Page

Discovered: May 18, 2004
Updated: May 18, 2004 4:46:35 PM
Systems Affected: Windows XP

When W32.Bobax.C is executed it performs the following actions:

Copies itself to %System% as a randomly named .exe file.

Attempts to delete all files in %temp% which begin with "~".

Drops a DLL to %temp% as ~[random characters].tmp file. This DLL file contains the worm's main functionality. The worm injects this DLL into explorer.exe then it's own [random filename].exe process ends.

Creates a registry entry so that the randomly named file dropped to %System% is executed on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[random string]"="%System%\[random filename].exe"

Attempts to contact a remote webserver with a unique ID code as notification of infection. The worm will parse the response for commands to activate, including sending spam mail, and stopping scanning.

Opens a number of randomly selected ports, and awaits an incoming connection. The worm runs its SMTP server routine on these ports, leaving the infected machine open to be used as a spam relay.

The worm will scan randomly generated IP addresses on TCP port 5000. This port is used by the Universal Plug n Play Service, which is enabled by default on Windows XP. If a connection is made, the worm sends shellcode to the host in an attempt to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). The worm also attempts to take advantage of the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) by probing port 135/tcp.

If the exploit is successful, the code executed on the remote machine will force it to connect back to the attacking host via HTTP, on a random port, to download and execute the worm. The worm will be saved as SVC.exe.

May attempt to download one of the following files to test the speed of the internet connection available:
http://g.msn.com/7MEEN_US/EN/SETUPDL.EXE
http://ftp.newaol.com/aim/win95/Install_Aim.exe
http://download.microsoft.com/download/f/a/a/faa796aa-399d-437a-9284-c3a43455761bf/WindowsXP-KB835732-x86-ENU.EXE
http://download.yahoo.com/dl/mac/ymsgr_2.5.3-ppc_install.bin
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS