Threat description




Bobic (also known as Bobax) is an e-mail and network worm. It spreads in e-mail messages and can also use different exploits to spread from computer to computer via Internet. However this variant doesn't have any exploits and it spreads only by e-mail.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

When run, the worm's file drops a DLL component to temporary folder and injects it into Windows Explorer process.

Spreading in E-mails

The worm collects victims' e-mail addresses before spreading. It scans Windows Address Book file and files with the following extensions:

.htm  .txt  .dbx   

The worm ignores e-mail addresses that have any of the following substrings in them:

ogle  help  admi  ter@  micr  supp  yman  viru  tren  secu  .mil  urhq  pand  afee  soph  kasp  .gov  nort   

The worm spreads in e-mail messages. It can use the following text strings in the Subject field:

Saddam Hussein - Attempted Escape, Shot dead  Attached some pics that i found  Osama Bin Laden Captured.  Attached some pics that i found  Testing  Secret!   

The following text strings are used to create message body of an infected e-mail:

Hey,  Remember this?  Hello,  Long time! Check this out!  Hey,  I was going through my album, and look what I found..  Hey,  Check this out :-)   

The worm can also append the following strings to the message to persuade a user that the message was scanned by an anti-virus and no infection was detected:

+++ Attachment: No Virus found  +++ Panda AntiVirus - You are protected  +++  +++ Attachment: No Virus found  +++ Norman AntiVirus - You are protected  +++  +++ Attachment: No Virus found  +++ F-Secure AntiVirus - You are protected  +++  +++ Attachment: No Virus found  +++ Norton AntiVirus - You are protected  +++   

The infected attachment names can be any of the following:

Cool  pics  funny  bush  joke  secret   

Extensions of an infected attachment can be:

.pif  .scr  .exe  .pif  .zip   

A remote system becomes infected when a recipient opens the worm's attachment.


The worm disables Windows firewall and also disables shared access. It changes several security-related settings in the Registry. The worm disables process manupulation and termination in Task Manager.

Bobic.k worm can modify Windows HOSTS file to block access to the following sites:   

The worm can also download 3 files from Internet. These files are not malicious.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info