Bobax is a new, Sasser-like trojan proxy that uses the MS04-011 (LSASS.EXE)
vulnerability to propagate. When instructed to do so it scans random IP
addresses for vulnerable computers.
When Bobax infects a host, the exploit uses HTTP to download the
executable from a webserver which listens on a random port on the
attacker host. The data is downloaded into a dropper file called
'svc.exe'.
The dropper drops a DLL to the temporary directory with a random name. The
DLL is launched by injecting it to Explorer with a technique called DLL
Injection. Because the code runs as a thread in Explorer it's not visible as a
separate process.
The Bobax executable is packed with a modified version of UPX.
The strings within its body are encoded using a simple scrambling function.
It opens a HTTP server on the infected machine, to further distribute itself upon
infection of new hosts.
When attempting to find new targets, it will probe the port 5000 ( Universal
Plug and Play (UPnP) ) , a sign of a machine running Windows XP. If found, it
will attempt infection of the target by means of using the LSASS exploit made
famous by the Sasser worm.
Detection for this malware was published on May 16th, 2004
in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-05-16_01
Write-up:
Gergely Erdelyi & Ero Carrera, May 16th, 2004;
F-Secure Corporation
