Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bobax.A

Win32/Bobax.A is an Internet worm that exploits a vulnerability in Micsoroft Windows systems for spreading.
Size of its executable file is 20 kB. Upon execution it copies itself into the %system% folder using a random name. It drops a randomly named DLL file, with size of 17920 bytes, into %temp% folder. This DLL is then executed as a new thread of Explorer process.

Note: In what follows the %windir% string is used instead of the actual name of the Windows installation directory. The latter may differ on a case by case basis. The subdirectory System or System32 placed in %windir% has a name %system%.

Win32/Bobax.A checks for a mutex called 00:24:03:54A9D. If it is found in memory, the worm terminates. Oherwise, the mutex is created. This way, only one instance of the worm can be active.
In order to ensure its execution on every system startup, the worm sets two random values in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

The values contain path of the file the worm dropped in the %system% folder.

Win32/Bobax.A connects to one of the following addresses:

butter.dns4biz.org
cheese.dns4biz.org
kwill.hopto.org
chilly.no-ip.info

Using the HTTP protocol, it sends information about the inflitrated system. It is able to receive commands. It can download a file from Internet and execute it. This worm can alse be used for spamming. It contains a simple SMTP engine. The worm spreads only if told to do so by a remote system. It exploits a vulnerability in Windows systems, called CAN-2003-0533. Win32/Bobax.A searches for vulnerable computers and tries to execute code on them. If it succeeds, the worm is downloaded by the victim and executed. For the purposes of spreading, Win32/Bobax.A contains a simple HTTP server, running on a random port. The server only provides access to the file with the worm.

Information about the vulnerability and security patches can be found on the following address: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

The detection of Win32/Bobax.A using sample is added since version 1.762.