Bobic (also known as Bobax) is an e-mail and network worm. It spreads in e-mail messages and can also use different exploits to spread from computer to computer via Internet. However this variant doesn't have any exploits and it spreads only by e-mail.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
When run, the worm's file drops a DLL component to temporary folder and injects it into Windows Explorer process.
Spreading in E-mails
The worm collects victims' e-mail addresses before spreading. It scans Windows Address Book file and files with the following extensions:
.htm .txt .dbx
The worm ignores e-mail addresses that have any of the following substrings in them:
ogle help admi ter@ micr supp yman viru tren secu .mil urhq pand afee soph kasp .gov nort
The worm spreads in e-mail messages. It can use the following text strings in the Subject field:
Saddam Hussein - Attempted Escape, Shot dead Attached some pics that i found Osama Bin Laden Captured. Attached some pics that i found Testing Secret!
The following text strings are used to create message body of an infected e-mail:
Hey, Remember this? Hello, Long time! Check this out! Hey, I was going through my album, and look what I found.. Hey, Check this out :-)
The worm can also append the following strings to the message to persuade a user that the message was scanned by an anti-virus and no infection was detected:
+++ Attachment: No Virus found +++ Panda AntiVirus - You are protected +++ www.pandasoftware.com +++ Attachment: No Virus found +++ Norman AntiVirus - You are protected +++ www.norman.com +++ Attachment: No Virus found +++ F-Secure AntiVirus - You are protected +++ www.f-secure.com +++ Attachment: No Virus found +++ Norton AntiVirus - You are protected +++ www.symantec.com
The infected attachment names can be any of the following:
Cool pics funny bush joke secret
Extensions of an infected attachment can be:
.pif .scr .exe .pif .zip
A remote system becomes infected when a recipient opens the worm's attachment.
The worm disables Windows firewall and also disables shared access. It changes several security-related settings in the Registry. The worm disables process manupulation and termination in Task Manager.
Bobic.k worm can modify Windows HOSTS file to block access to the following sites:
255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
The worm can also download 3 files from Internet. These files are not malicious.
Technical Details: Alexey Podrezov, September 15th, 2005