McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Bobic.d (KASP)

• W32.Bobax.Z (Symantec)

• WORM_BOBAX.P (Trend)

Characteristics

This self-executing worm is downloaded by the Downloader-ABL Trojan .  It spreads by sending Downloader-ABL Trojan  as an attachment to email addresses found on the infected system.  It also propagates by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.  The DLL is proactively detected as W32/Bobax.worm.dll since the 4434 DATS.

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Symptoms

The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(random string)" = %SysDir%\(random filename).exe

(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)

When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.

Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs.

Method of Infection

The worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell.

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Email Propagation

The virus uses it's own SMTP engine and contructs it's email as follows:

Subject: (Varies)

• Cool
• bush
• Joke
• secret
• funny

Message Body: (is a combination of the following):

• Osama Bin Laden Captured.
• Attached some pics that i found
• Check this out :-)
• Saddam Hussein - Attempted Escape, Shot dead
• Long time! Check this out!
• Remember this?
• I was going through my album, and look what I found..

with any of the following

• +++ Panda AntiVirus - You are protected
• +++ www.pandasoftware.com
• +++ F-Secure AntiVirus - You are protected
• +++ www.symantec.com
• +++ Norman AntiVirus - You are protected

Attachment: (may have extension  .pif, .scr, .exe, .zip extensions)

• pics.1
• Secret.2
• joke.1
• funny.1
• bush.1

The worm retrieves email addresses from the Windows Address Book, Windows Messenger contact list and from files with the following extensions:

• HTM
• TXT
• DBX

It modifies the hosts file so that the infected computer is unable to contact various Anti-Virus websites.  If an attempt is made to contact these Anti-Virus websites then the connection is redirected to IP address  255.255.255.255 .

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Bobic.d (KASP)

• W32.Bobax.Z (Symantec)

• WORM_BOBAX.P (Trend)

Characteristics

Characteristics -

This self-executing worm is downloaded by the Downloader-ABL Trojan .  It spreads by sending Downloader-ABL Trojan  as an attachment to email addresses found on the infected system.  It also propagates by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.  The DLL is proactively detected as W32/Bobax.worm.dll since the 4434 DATS.

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Symptoms

Symptoms -

The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(random string)" = %SysDir%\(random filename).exe

(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)

When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.

Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs.

Method of Infection

Method of Infection -

The worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell.

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Email Propagation

The virus uses it's own SMTP engine and contructs it's email as follows:

Subject: (Varies)

• Cool
• bush
• Joke
• secret
• funny

Message Body: (is a combination of the following):

• Osama Bin Laden Captured.
• Attached some pics that i found
• Check this out :-)
• Saddam Hussein - Attempted Escape, Shot dead
• Long time! Check this out!
• Remember this?
• I was going through my album, and look what I found..

with any of the following

• +++ Panda AntiVirus - You are protected
• +++ www.pandasoftware.com
• +++ F-Secure AntiVirus - You are protected
• +++ www.symantec.com
• +++ Norman AntiVirus - You are protected

Attachment: (may have extension  .pif, .scr, .exe, .zip extensions)

• pics.1
• Secret.2
• joke.1
• funny.1
• bush.1

The worm retrieves email addresses from the Windows Address Book, Windows Messenger contact list and from files with the following extensions:

• HTM
• TXT
• DBX

It modifies the hosts file so that the infected computer is unable to contact various Anti-Virus websites.  If an attempt is made to contact these Anti-Virus websites then the connection is redirected to IP address  255.255.255.255 .

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A