Bobic.k

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

Bobic (also known as Bobax) is an e-mail and network worm. It spreads in e-mail messages and can also use different exploits to spread from computer to computer via Internet. However this variant doesn't have any exploits and it spreads only by e-mail.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

When run, the worm's file drops a DLL component to temporary folder and injects it into Windows Explorer process.

Spreading in E-mails

The worm collects victims' e-mail addresses before spreading. It scans Windows Address Book file and files with the following extensions:

.htm
.txt
.dbx
 

The worm ignores e-mail addresses that have any of the following substrings in them:

ogle
help
admi
ter@
micr
supp
yman
viru
tren
secu
.mil
urhq
pand
afee
soph
kasp
.gov
nort
 

The worm spreads in e-mail messages. It can use the following text strings in the Subject field:

Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
 

The following text strings are used to create message body of an infected e-mail:

Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out :-)
 

The worm can also append the following strings to the message to persuade a user that the message was scanned by an anti-virus and no infection was detected:

+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
 

The infected attachment names can be any of the following:

Cool
pics
funny
bush
joke
secret
 

Extensions of an infected attachment can be:

.pif
.scr
.exe
.pif
.zip
 

A remote system becomes infected when a recipient opens the worm's attachment.

Payload

The worm disables Windows firewall and also disables shared access. It changes several security-related settings in the Registry. The worm disables process manupulation and termination in Task Manager.

Bobic.k worm can modify Windows HOSTS file to block access to the following sites:

255.255.255.255
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
ca.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.viruslist.ru
www3.ca.com
 

The worm can also download 3 files from Internet. These files are not malicious.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info