W32/Bobandy-A is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-A have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098
hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098
thank's for you register
For security reasons attached file is password protected.
The password is 55132098
your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
W32/Bobandy-A is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-A have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098
hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098
thank's for you register
For security reasons attached file is password protected.
The password is 55132098
your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
When first run W32/Bobandy-A copies itself to:
<Startup>\MySqld-nt Start.cmd
<Windows>\Brico.cmd
<Windows>\Systask.exe
<Windows>\command.com
<Windows>\java\clases\bin\csrss.exe
<System>\MySqld-nt.cmd
<System>\;applog\Sys\Winlogon.exe
<System>\dllcache\(CLSID)\msowcf.cmd
<System>\remotesp.cmd
<System>\run32dll.exe
and creates the following harmless files:
<User>\My Documents\Mo0nLighT.A.txt
<System>\MoonLigHT.rtf
W32/Bobandy-A creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MooNlight
MySqld-nt.cmd
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ObjectDock
Brico.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, COMMAND\SETRAMD.cmd
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
W32/Bobandy-A attempts to copy itself to the root folders of all mapped drives.
The attached file will take one of the following names:
mypic.zip
dataKU.zip
attach.zip
Update.zip
Doc.uu
file.zip
thisfile.uu
pic.zip
The attached file is detected as Troj/BobanDl-A
W32/Bobandy-A harvests email addresses from files on the infected computer.