Summary

Bobax is a new, Sasser-like trojan proxy that uses the MS04-011 (LSASS.EXE) vulnerability to propagate. When instructed to do so it scans random IP addresses for vulnerable computers.

When Bobax infects a host, the exploit uses HTTP to download the executable from a webserver which listens on a random port on the attacker host. The data is downloaded into a dropper file called 'svc.exe'.

The dropper drops a DLL to the temporary directory with a random name. The DLL is launched by injecting it to Explorer with a technique called DLL Injection. Because the code runs as a thread in Explorer it's not visible as a separate process.

Additional Details

The Bobax executable is packed with a modified version of UPX.

The strings within its body are encoded using a simple scrambling function.

It opens a HTTP server on the infected machine, to further distribute itself upon infection of new hosts.

When attempting to find new targets, it will probe the port 5000 ( Universal Plug and Play (UPnP) ) , a sign of a machine running Windows XP. If found, it will attempt infection of the target by means of using the LSASS exploit made famous by the Sasser worm.

Detection

Detection for this malware was published on May 16th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-05-16_01

Write-up: Gergely Erdelyi & Ero Carrera, May 16th, 2004;

F-Secure Corporation