WORM_BOBAX.P - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_BOBAX.P

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Bobic.b (Kaspersky), W32.Bobax.Z@mm (Symantec), Worm/Bobic.B.14 (Avira), W32/Bobax-Gen (Sophos),

In the wild: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

As of June 3, 2005 1:38 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this worm is currently spreading in the United States, Singapore, Ireland, Japan, Peru, Australia, and India.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_BOBAX.P Behavior Diagram

Malware Overview

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: (any of the following)

� bush
� Cool
� funny
� joke
� pics
� secret

Message body: (any of the following)

� Attached some pics that i found
� Check this out :-)
� Hello,
� I was going through my album, and look what I found..
� Long time! Check this out!
� Osama Bin Laden Captured.
� Remember this?
� Saddam Hussein - Attempted Escape, Shot dead
� Secret!
� Testing

(followed by any of the following strings)

� +++ Attachment: No Virus found
� +++ F-Secure AntiVirus - You are protected
� +++ Norman AntiVirus - You are protected
� +++ Norton AntiVirus - You are protected
� +++ Panda AntiVirus - You are protected
� +++ www.f-secure.com
� +++ www.norman.com
� +++ www.pandasoftware.com
� +++ www.symantec.com

Attachment: (a .ZIP file that may use any of the following names)

� bush
� funny
� joke
� pics
� secret

(The attachment file names may have any of the following extensions:)

� EXE
� PIF
� SCR

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

Below is a sample screenshot of the actual email:

This is a screenshot of an email it sends.

It also takes advantage of the Windows LSASS vulnerability. For more information about this vulnerability, please refer to the following Microsoft page:

Microsoft Security Bulletin MS04-011

This worm is also capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 2, 2005 3:19:32 PM GMT -0800
Description updated: Jun. 3, 2005 10:17:57 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.