W32.Bobax.A

W32.Bobax.A is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) in order to propagate.

When it is executed it performs the following actions:

Creates a randomly named copy of itself in the Windows System directory and a corresponding registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[random characters] = %System%\[random characters].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\[random characters] = %System%\[random characters].exe

Creates a mutex named '00:24:03:54A9D' so that only a single copy of the worm is present in memory.

Attempts to delete all files in %temp% which begin with "~".

Drops a DLL to %temp% as ~[random characters].tmp file. This DLL file contains the worm's main functionality. The worm injects this DLL into explorer.exe then it's own [random filename].exe process ends.

Attempts to contact a remote webserver with a unique ID code as notification of infection. The worm will parse the response for commands to activate, including sending spam mail, sending system information to the author and stopping scanning.

Opens a number of randomly selected ports, and awaits an incoming connection. The worm runs its SMTP server routine on these ports, leaving the infected machine open to be used as a spam relay.

The worm will scan randomly generated IP addresses on TCP port 5000. This port is used by the Universal Plug n Play Service, which is enabled by default on Windows XP. If a connection is made, the worm sends shellcode to the host in an attempt to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

If the exploit is successful, the compromised system is instructed to download and execute a copy of the worm from the attacking host. This file is saved as SVC.EXE.

Summary