Threat Description

Bobic.k

Details

Aliases:Bobic.k, Net-Worm.Win32.Bobic.k
Category:Malware
Type:Worm
Platform:W32

Summary



Bobic (also known as Bobax) is an e-mail and network worm. It spreads in e-mail messages and can also use different exploits to spread from computer to computer via Internet. However this variant doesn't have any exploits and it spreads only by e-mail.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



When run, the worm's file drops a DLL component to temporary folder and injects it into Windows Explorer process.

Spreading in E-mails

The worm collects victims' e-mail addresses before spreading. It scans Windows Address Book file and files with the following extensions:

.htm
 .txt
 .dbx

The worm ignores e-mail addresses that have any of the following substrings in them:

ogle
 help
 admi
 ter@
 micr
 supp
 yman
 viru
 tren
 secu
 .mil
 urhq
 pand
 afee
 soph
 kasp
 .gov
 nort

The worm spreads in e-mail messages. It can use the following text strings in the Subject field:

Saddam Hussein - Attempted Escape, Shot dead
 Attached some pics that i found
 Osama Bin Laden Captured.
 Attached some pics that i found
 Testing
 Secret!

The following text strings are used to create message body of an infected e-mail:

Hey,
 Remember this?
 Hello,
 Long time! Check this out!
 Hey,
 I was going through my album, and look what I found..
 Hey,
 Check this out :-)

The worm can also append the following strings to the message to persuade a user that the message was scanned by an anti-virus and no infection was detected:

+++ Attachment: No Virus found
 +++ Panda AntiVirus - You are protected
 +++ www.pandasoftware.com
 +++ Attachment: No Virus found
 +++ Norman AntiVirus - You are protected
 +++ www.norman.com
 +++ Attachment: No Virus found
 +++ F-Secure AntiVirus - You are protected
 +++ www.f-secure.com
 +++ Attachment: No Virus found
 +++ Norton AntiVirus - You are protected
 +++ www.symantec.com

The infected attachment names can be any of the following:

Cool
 pics
 funny
 bush
 joke
 secret

Extensions of an infected attachment can be:

.pif
 .scr
 .exe
 .pif
 .zip

A remote system becomes infected when a recipient opens the worm's attachment.

Payload

The worm disables Windows firewall and also disables shared access. It changes several security-related settings in the Registry. The worm disables process manupulation and termination in Task Manager.

Bobic.k worm can modify Windows HOSTS file to block access to the following sites:

255.255.255.255
 ar.atwola.com
 atdmt.com
 avp.ch
 avp.com
 avp.ru
 awaps.net
 ca.com
 dispatch.mcafee.com
 download.mcafee.com
 download.microsoft.com
 downloads.microsoft.com
 engine.awaps.net
 f-secure.com
 ftp.f-secure.com
 ftp.sophos.com
 go.microsoft.com
 liveupdate.symantec.com
 mast.mcafee.com
 mcafee.com
 msdn.microsoft.com
 my-etrust.com
 nai.com
 networkassociates.com
 office.microsoft.com
 phx.corporate-ir.net
 secure.nai.com
 securityresponse.symantec.com
 service1.symantec.com
 sophos.com
 spd.atdmt.com
 support.microsoft.com
 symantec.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 vil.nai.com
 viruslist.ru
 windowsupdate.microsoft.com
 www.avp.ch
 www.avp.com
 www.avp.ru
 www.awaps.net
 www.ca.com
 www.f-secure.com
 www.kaspersky.ru
 www.mcafee.com
 www.my-etrust.com
 www.nai.com
 www.networkassociates.com
 www.sophos.com
 www.symantec.com
 www.trendmicro.com
 www.viruslist.com
 www.viruslist.ru
 www3.ca.com

The worm can also download 3 files from Internet. These files are not malicious.





Technical Details: Alexey Podrezov, September 15th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More