F-Secure Virus Descriptions : Bobic.k
[Summary] | [Detailed Description]
Bobic (also known as Bobax) is an e-mail and network worm. It
spreads in e-mail messages and can also use different exploits to
spread from computer to computer via Internet. However this
variant doesn't have any exploits and it spreads only by e-mail.
When run, the worm's file drops a DLL component to temporary
folder and injects it into Windows Explorer process.
Spreading in E-mails
The worm collects victims' e-mail addresses before spreading. It
scans Windows Address Book file and files with the following
extensions:
.htm
.txt
.dbx
The worm ignores e-mail addresses that have any of the following
substrings in them:
ogle
help
admi
ter@
micr
supp
yman
viru
tren
secu
.mil
urhq
pand
afee
soph
kasp
.gov
nort
The worm spreads in e-mail messages. It can use the following
text strings in the Subject field:
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
The following text strings are used to create message body of an
infected e-mail:
Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out :-)
The worm can also append the following strings to the message to
persuade a user that the message was scanned by an anti-virus and
no infection was detected:
+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
The infected attachment names can be any of the following:
Cool
pics
funny
bush
joke
secret
Extensions of an infected attachment can be:
.pif
.scr
.exe
.pif
.zip
A remote system becomes infected when a recipient opens the
worm's attachment.
Payload
The worm disables Windows firewall and also disables shared
access. It changes several security-related settings in the
Registry. The worm disables process manupulation and termination
in Task Manager.
Bobic.k worm can modify Windows HOSTS file to block access to the
following sites:
255.255.255.255
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
ca.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.viruslist.ru
www3.ca.com
The worm can also download 3 files from Internet. These files are
not malicious.
Technical Details:
Alexey Podrezov, September 15th, 2005;
F-Secure Corporation
|