Threat Description



Aliases:Bobax, TrojanProxy.Win32.Bobax.a
Category: Malware
Platform: W32


Bobax is a new, Sasser-like trojan proxy that uses the MS04-011 (LSASS.EXE) vulnerability to propagate. When instructed to do so it scans random IP addresses for vulnerable computers.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

The Bobax executable is packed with a modified version of UPX.

The strings within its body are encoded using a simple scrambling function.

It opens a HTTP server on the infected machine, to further distribute itself upon infection of new hosts.

When attempting to find new targets, it will probe the port 5000 ( Universal Plug and Play (UPnP) ) , a sign of a machine running Windows XP. If found, it will attempt infection of the target by means of using the LSASS exploit made famous by the Sasser worm.

When Bobax infects a host, the exploit uses HTTP to download the executable from a webserver which listens on a random port on the attacker host. The data is downloaded into a dropper file called 'svc.exe'.

The dropper drops a DLL to the temporary directory with a random name. The DLL is launched by injecting it to Explorer with a technique called DLL Injection. Because the code runs as a thread in Explorer it's not visible as a separate process.


Detection for this malware was published on May 16th, 2004 in the following F-Secure Anti-Virus updates:
Detection Type: PC
Database: 2004-05-16_01

Description Created: Gergely Erdelyi & Ero Carrera, May 16th, 2004;


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More