Bobax

Threat description

Details

Category:
Platform: W32

Summary

Bobax is a new, Sasser-like trojan proxy that uses the MS04-011 (LSASS.EXE) vulnerability to propagate. When instructed to do so it scans random IP addresses for vulnerable computers.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details

The Bobax executable is packed with a modified version of UPX.

The strings within its body are encoded using a simple scrambling function.

It opens a HTTP server on the infected machine, to further distribute itself upon infection of new hosts.

When attempting to find new targets, it will probe the port 5000 ( Universal Plug and Play (UPnP) ) , a sign of a machine running Windows XP. If found, it will attempt infection of the target by means of using the LSASS exploit made famous by the Sasser worm.

When Bobax infects a host, the exploit uses HTTP to download the executable from a webserver which listens on a random port on the attacker host. The data is downloaded into a dropper file called 'svc.exe'.

The dropper drops a DLL to the temporary directory with a random name. The DLL is launched by injecting it to Explorer with a technique called DLL Injection. Because the code runs as a thread in Explorer it's not visible as a separate process.



Detection

Detection for this malware was published on May 16th, 2004 in the following F-Secure Anti-Virus updates: Detection Type:PC
Database:2004-05-16_01



Description Details: Gergely Erdelyi & Ero Carrera, May 16th, 2004;


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More