W32.Bobax.B

Printer Friendly Page

Discovered: May 17, 2004
Updated: May 19, 2004 2:42:42 PM
Systems Affected: Windows

W32.Bobax.B is a worm that attempts to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). The worm spreads by randomly scanning IP addresses for vulnerable systems.

Discovered: May 17, 2004
Updated: May 19, 2004 2:42:42 PM
Systems Affected: Windows

When W32.Bobax.B is executed it performs the following actions:

Copies itself to %System% as a randomly named .exe file.

Drops a DLL to %temp% as a randomly named .tmp file. This DLL file contains the worms main functionality. The worm injects this DLL into explorer.exe then it's own [random filename].exe process ends.

Creates a registry entry so that the randomly named file dropped to %System% is executed on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"[random string]"="%System%\[random filename].exe"

Opens a number of randomly selected ports, and awaits an incoming connection. The worm runs its SMTP server routine on these ports, leaving the infected machine open to be used as a spam relay.

The worm will scan randomly generated IP addresses, attempting to connect to them on TCP port 445. If a connection is made, the worm sends shellcode to the host in an attempt to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). If the exploit is successful, the code executed on the remote machine will force it to connect back to the attacking host via HTTP, on a random port, to download and execute the worm.