W32.Bobax.N

Printer Friendly Page

Discovered: February 05, 2005
Updated: February 05, 2005 8:40:13 AM
Systems Affected: Windows

W32.Bobax.N is a mass-mailing worm that propagates by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). The worm lowers security settings and allows a compromised computer to be used as a covert proxy. The worm also sends an email to addresses gathered from the compromised computer.

Discovered: February 05, 2005
Updated: February 05, 2005 8:40:13 AM
Systems Affected: Windows

W32.Bobax.N is a mass-mailing worm that propagates by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). The worm lowers security settings and allows a compromised computer to be used as a covert proxy. The worm also sends an email to addresses gathered from the compromised computer.

When the worm is executed it creates a DLL file:
%Temp%\[random file name].tmp

It injects this .tmp file into the processes with a Window class name of "Shell_TrayWnd" as a thread. The worm then ends its own process.

Normally, Explorer.exe process has a Windows class name "Shell_TrayWnd".

It may copy itself to the %system% folder using a random generated file name.

The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"[random value]" = "%System%\[random file name].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"[random value]" = "%System%\[random file name].exe"

The worm appends the following string (one line) to the file
%system%\drivers\hosts file to block access to several security-related Web sites:
255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com

The worm attempts to lower security settings by setting the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntivirusDisableNotify"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirwallDisableNotify"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDiasbleNotify"=1

The worm attempts to use the compromised computer as a covert proxy.

The worm spreads by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

The worm retrieves email addresses from the files with the following extensions:
.HTM
.TXT
.DBX

It also retrieves email addresses from Windows Address Book files and Windows Messenger contact list.

The worm sends an email to all addresses found. The email has the following characteristics:

Subject: One of the following,
Cool
pics
funny
bush
joke
secret

Message: One of the following,
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found

Osama Bin Laden Captured.
Attached some pics that i found

Testing

Secret!

Hey,
Remember this?

Hello,
Long time! Check this out!

Hey,
I was going through my album, and look what I found..

Hey,
Check this out :-)

The message may contain the following string also,

+++ Attachment: No Virus found
+++ You are protected
+++ <a fake URL>

Subject: One of the following,
Cool
pics
funny
bush
joke
secret

with .PIF, .SCR, .EXE, or .ZIP as extension.

The worm avoids sending to email address whose domain contains any of the following,
ogle
yaho
help
admi
ter@
micr
msn.
hotm
supp
yman
viru
tren
secu
.mil
urhq
pand
afee
soph
kasp
.gov
nort

The worm may download the following files which are not viral:
download.yahoo.com/dl/installs/msgr6suite.exe
ftp.scarlet.be/pub/mozilla.org/firefox/releases/1.0/win32/en-US/Firefox Setup 1.0.exe
ftp.newaol.com/aim/win95/Install_AIM.exe
g.msn.com/7MEEN_US/EN/SETUPDL.EXE