Threat Description

Boomka

Details

Category: Malware
Platform: W32
Aliases: Bomka, Trojan-Downloader.Win32.Bomka, W32/Bomka

Summary


Bomka is a remotely controlled trojan. It reads instructions from certain websites and can download and run files on an infected computer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Bomka is usually spammed in e-mails inside a dropper that may also contain a decoy and an additional downloader component. Usually a joke program or a small game is used as a decoy.

When a user runs the attached dropper, Bomka gets installed on a computer. At the same time a decoy program is launched so a user would not suspect an infection. Bomka's file is a DLL (Dynamic Link Library) that is started as a system component. In some cases Bomka's file is named KABOOM.DLL.

Being active, the trojan connects to several websites (the list is hardcoded in the trojan's body) and reads instructions from there. These instructions may include a backup site name, a sleep delay and a request to download and run a certain file from Internet.

In some cases another DLL is dropped together with Bomka. It is usually named MSX.DLL and is started at the same time as Bomka's DLL. This is a trojan downloader that downloads and runs an executable file (usually named IETOOL.EXE) from the same website that controls Bomka. The downloaded file is a trojan dropper that updates both Bomka and downloader components.

The latest Bomka droppers (NSIS packages) that are being spammed around only contain the MSX.DLL component that downloads another dropper. That dropper (also NSIS package) then drops the main Bomka component KABOOM.DLL onto a hard drive.

We think that Bomka is used as a distribution channel for some software, possibly adware or even malware. However we have no reports that something has been downloaded to infected computers so far.





Description Details: Alexey Podrezov, February 3, 2006
Technical Details:Alexey Podrezov, February 3, 2006
Description Last Modified: Alexey Podrezov, February 17, 2006


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More