NEWS FROM THE LAB - Friday, May 21, 2004

More on the Bobax worms Posted by Mikko @ 11:51 GMT

There's now four different versions of the Bobax worm. All of them are used by spammers and controlled through a handful of websites. Some of the variants now even do bandwidth testing to find the most useful machines for spammers to send their spam from.

Also, later variants in the family spread also through the RPC DCOM hole (135/TCP) in addition of the LSASS hole (445/TCP) - and they fingerprint target systems through UPnP (5000/TCP).

Fragment from Bobax body