W32/Bobandy-E is a mass-mailing worm for the Windows platform.
When first run W32/Bobandy-E copies itself to shared folders:
admcgi.exe
Administrator Porn.exe
admisapi.exe
adodb.cmd
bin.exe
Binaries.exe
bots.exe
Config.exe
DAO.exe
Data Administrator.exe
Foto Administrator.exe
isapi.exe
lsass.exe
moonlight.scr
MSInfo.exe
MSWINSCK.ocx647
My Music.exe
My Pictures.exe
New Folder(2).exe
New Folder.scr
res.exe
scripts.exe
service.exe
servsupp.exe
smss.exe
Speech.exe
Stationery.exe
system.exe
TextConv.exe
Triedit.exe
VGX.exe
vinavbar.exe
Web Folders.exe
web server extensions.exe
winlogon.exe
W32/Bobandy-E also copies itself to the following locations:
<Startup>\adodb.cmd
<User>\Templates\<random characters>\<random characters>.exe
<User>\Templates\<random characters>\service.exe
<User>\Templates\<random characters>\winlogon.exe
<Windows>\<random characters>\<random characters>.com
<Windows>\<random characters>\smss.exe
<Windows>\<random characters>\system.exe
<Windows>\<random characters>.exe
<Windows>\lsass.exe
<System>\<random characters>\<random characters>.exe
<System>\<random characters>\<random characters>.com
<System>\moonlight.scr
and creates the file <System>\crtsys.dll.
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\titta\
HKCU\Software\VB and VBA Program Settings\untukmu2\
Emails sent by W32/Bobandy-E have the following characteristics:
Subject lines chosen from:
hey Indonesian porn
Agnes Monica pic's
Fucking With Me :D
please read again what i have written to you
miss Indonesian
Cek This
Japannes Porn
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa BSI Margonda smt 4
yah aku sedang membutuhkan pekerjaan
CoolMan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
File attachments may arrive as:
MyHeart.exe
KesenjanganSosial.exe
FirstLove.exe
W32/Bobandy-E also creates the following harmless files <Windows>\MoonLight.txt and <System>\crtsys.dll.
W32/Bobandy-E creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System32>\<random characters>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\<random characters>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <path to worm executable>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
UncheckedValue
0
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<path to worm executable>
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Bobandy-E attempts to copy itself to the root folders of all mapped drives.
W32/Bobandy-E harvests email addresses from files on the infected computer and includes functionality to terminate security and anti-virus related processes and record keystrokes.