TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_BOBAX.AD
Also known as: CME-419
Overview
Solution

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.cq (Kaspersky), W32/Mydoom.bv@MM (McAfee), W32.Mytob!gen (Symantec), Worm/Mytob.CQ.1 (Avira), Mal/Behav-134 (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm propagates by sending a copy of itself to email addresses harvested from the default address book of an affected system.

The email message it sends out contains the following details:

Subject: (any of the following)
• Accounts department
• Ahtung!
• Camila
• Daily activity report
• Ello!
• Flayers among us
• Freedom for everyone
• From Hair-cutter
• From me
• Greet the day
• Hardware devices price-list
• Hello my friend
• Hi!
• Jenny
• Jessica
• Looking for the report
• Maria
• Melissa
• Monthly incomings summary
• New Price-list
• Price
• Price list
• Pricelist
• Price-list
• Proclivity to servitude
• Registration confirmation
• The account
• The employee
• The summary
• USA government abolishes the capital punishment
• Weekly activity report
• Well...
• You are dismissed
• You really love me? he he

Message Body: (any of the following)
• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com
• Account Information Are Attached!
• Attached some pics that i found
• Check this out :-)
• Cya
• Empty
• Everything inside the attach
• Follow the instructions in the attachment.
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Look it through
• Mail transaction failed. Partial message is available.
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• Osama Bin Laden Captured.
• please look at attached document.
• Please read the attached document and follow it's instructions.
• Remember this?
• Request
• Response
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Subj
• Testing
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message has been included as an attachment.
• To safeguard your email account from possible termination, please see the attached file.
• To unblock your email account acces, please see the attachment.
• We attached some important information regarding your account.
• We have suspended some of your email services, to resolve the problem you should read the attached document.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (a .ZIP archive that contains a copy of itself using any of the following combination of filenames and extension names)

File Names
• accepted-password
• account/-details
• account-details
• account-info
• account-password
• account-report
• approved-password
• attachment
• body
• bush
• data
• doc
• document
• document/_full
• email/-doc
• email/-info
• email-details
• email-doc
• email-info
• email-password
• file
• funny
• important-details
• info
• INFO
• info/-text
• information
• info-text
• instruction
• instructions
• joke
• letter
• mail
• message
• new-password
• password
• pics
• readme
• secret
• test
• text
• transcript
• updated-password
• your/-details

Extensions
• DOC
• EXE
• INFO
• PIF
• SCR
• TMP

Here is a sample screenshot of the email message:

It also takes advantage of the Windows Plug and Play vulnerability to propagate across networks. For more information about this vulnerability, please refer to the following Microsoft Web page:

This worm modifies the HOSTS files of the affected system to prevent access to several Web sites of antivirus and security companies. It also terminates running processes on the system, most of which are related to antivirus and security.

These actions render the affected system vulnerable to malware attacks, at the same time making sure that the user is unable to refer to antivirus Web sites to verify infection.

This worm downloads a file from the URL http://www.{BLOCKED}rit.edu/down.rar. As of this writing, the said file is unavailable for analysis.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 16, 2005 4:56:20 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.