W32/Bobandy-C is a mass-mailing worm for the Windows platform.
W32/Bobandy-C spreads by emailing itself to the email addresses harvested from the infected computer.
W32/Bobandy-C also attempts to spread by copying itself to shared folders of a number of Peer to Peer (P2P) filesharing applications.
W32/Bobandy-C is a mass-mailing worm for the Windows platform.
W32/Bobandy-C spreads by emailing itself to the email addresses harvested from the infected computer.
W32/Bobandy-C also attempts to spread by copying itself to shared folders of a number of Peer to Peer (P2P) filesharing applications.
When first run W32/Bobandy-C copies itself to:
<Startup>\xz.cmd
<User>\Templates\<random number>\<random number>.exe
<User>\Templates\<random number>\service.exe
<User>\Templates\<random number>\winlogon.exe
<Windows>\<random number>.exe
<Windows>\<random number>\bb<random number>l.com
<Windows>\<random number>\smss.exe
<Windows>\<random number>\system.exe
<Windows>\l<random number>.exe
<Windows>\lsass.exe
<System>\<random number>a\c6738430.cmd
<System>\<random number>l.exe
<System>\moonlight.scr
(Note: <random number> may vary)
and creates the following files:
<System>\syscon.sys
<Windows>\MoonLight.txt
<Windows>\Renungan.html
These files are not malicious and can be safely deleted.
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random number>
<Windows>\<random number>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random number>
<System>\<random number>l.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
Common Startup
<System>\<random number>a
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
explorer.exe, <User>\Templates\<random number>\<random number>.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
<random number>.exe
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\titta\version\
HKCU\Software\VB and VBA Program Settings\untukmu2\version\