Summary

Bobic (also known as Bobax) is an e-mail and network worm. It spreads in e-mail messages and can also use different exploits to spread from computer to computer via Internet. However this variant doesn't have any exploits and it spreads only by e-mail.

Additional Details

When run, the worm's file drops a DLL component to temporary folder and injects it into Windows Explorer process.

Spreading in E-mails

The worm collects victims' e-mail addresses before spreading. It scans Windows Address Book file and files with the following extensions:

 .htm
 .txt
 .dbx

The worm ignores e-mail addresses that have any of the following substrings in them:

 ogle
 help
 admi
 ter@
 micr
 supp
 yman
 viru
 tren
 secu
 .mil
 urhq
 pand
 afee
 soph
 kasp
 .gov
 nort

The worm spreads in e-mail messages. It can use the following text strings in the Subject field:

 Saddam Hussein - Attempted Escape, Shot dead
 Attached some pics that i found

 Osama Bin Laden Captured.
 Attached some pics that i found

 Testing

 Secret!

The following text strings are used to create message body of an infected e-mail:

 Hey,
 Remember this?

 Hello,
 Long time! Check this out!

 Hey,
 I was going through my album, and look what I found..

 Hey,
 Check this out :-)

The worm can also append the following strings to the message to persuade a user that the message was scanned by an anti-virus and no infection was detected:

 +++ Attachment: No Virus found
 +++ Panda AntiVirus - You are protected
 +++ www.pandasoftware.com

 +++ Attachment: No Virus found
 +++ Norman AntiVirus - You are protected
 +++ www.norman.com

 +++ Attachment: No Virus found
 +++ F-Secure AntiVirus - You are protected
 +++ www.f-secure.com

 +++ Attachment: No Virus found
 +++ Norton AntiVirus - You are protected
 +++ www.symantec.com

The infected attachment names can be any of the following:

 Cool
 pics
 funny
 bush
 joke
 secret

Extensions of an infected attachment can be:

 .pif
 .scr
 .exe
 .pif
 .zip

A remote system becomes infected when a recipient opens the worm's attachment.

Payload

The worm disables Windows firewall and also disables shared access. It changes several security-related settings in the Registry. The worm disables process manupulation and termination in Task Manager.

Bobic.k worm can modify Windows HOSTS file to block access to the following sites:

 255.255.255.255
 ar.atwola.com
 atdmt.com
 avp.ch
 avp.com
 avp.ru
 awaps.net
 ca.com
 dispatch.mcafee.com
 download.mcafee.com
 download.microsoft.com
 downloads.microsoft.com
 engine.awaps.net
 f-secure.com
 ftp.f-secure.com
 ftp.sophos.com
 go.microsoft.com
 liveupdate.symantec.com
 mast.mcafee.com
 mcafee.com
 msdn.microsoft.com
 my-etrust.com
 nai.com
 networkassociates.com
 office.microsoft.com
 phx.corporate-ir.net
 secure.nai.com
 securityresponse.symantec.com
 service1.symantec.com
 sophos.com
 spd.atdmt.com
 support.microsoft.com
 symantec.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 vil.nai.com
 viruslist.ru
 windowsupdate.microsoft.com
 www.avp.ch
 www.avp.com
 www.avp.ru
 www.awaps.net
 www.ca.com
 www.f-secure.com
 www.kaspersky.ru
 www.mcafee.com
 www.my-etrust.com
 www.nai.com
 www.networkassociates.com
 www.sophos.com
 www.symantec.com
 www.trendmicro.com
 www.viruslist.com
 www.viruslist.ru
 www3.ca.com

The worm can also download 3 files from Internet. These files are not malicious.

Technical Details: Alexey Podrezov, September 15th, 2005;

F-Secure Corporation