Classification

Category :

Malware

Type :

-

Aliases :

Bomka, Trojan-Downloader.Win32.Bomka, W32/Bomka

Summary

Bomka is a remotely controlled trojan. It reads instructions from certain websites and can download and run files on an infected computer.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Bomka is usually spammed in emails inside a dropper that may also contain a decoy and an additional downloader component. Usually a joke program or a small game is used as a decoy.

When a user runs the attached dropper, Bomka gets installed on a computer. At the same time a decoy program is launched so a user would not suspect an infection. Bomka's file is a DLL (Dynamic Link Library) that is started as a system component. In some cases Bomka's file is named KABOOM.DLL.

Being active, the trojan connects to several websites (the list is hardcoded in the trojan's body) and reads instructions from there. These instructions may include a backup site name, a sleep delay and a request to download and run a certain file from Internet.

In some cases another DLL is dropped together with Bomka. It is usually named MSX.DLL and is started at the same time as Bomka's DLL. This is a trojan downloader that downloads and runs an executable file (usually named IETOOL.EXE) from the same website that controls Bomka. The downloaded file is a trojan dropper that updates both Bomka and downloader components.

The latest Bomka droppers (NSIS packages) that are being spammed around only contain the MSX.DLL component that downloads another dropper. That dropper (also NSIS package) then drops the main Bomka component KABOOM.DLL onto a hard drive.

We think that Bomka is used as a distribution channel for some software, possibly adware or even malware. However we have no reports that something has been downloaded to infected computers so far.