W32/Bobax-D is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate.
When run, W32/Bobax-D creates a helper dll in the temp folder with a random name. When the dll is loaded the executable component copies itself to the Windows system folder under a random name.
This dll is injected into Explorer as a separate thread, so is not visible as a separate process.
The worm listens on a randomly chosen tcp port which the worm then includes in outbound traffic so infected systems can connect back.
W32/Bobax-D also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails.
W32/Bobax-D will also attempt to disable the Microsoft Windows firewall.
W32/Bobax-D is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate.
When run, W32/Bobax-D creates a helper dll in the temp folder with a random name. When the dll is loaded the executable component copies itself to the Windows system folder under a random name.
W32/Bobax-D sets the following registry entries in order to auto-start on user logon:
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/
<random name> = <path to worm>
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
<random name> = <path to worm>
This dll is injected into Explorer as a separate thread, so is not visible as a separate process.
The worm listens on a randomly chosen tcp port which the worm then includes in outbound traffic so infected systems can connect back.
W32/Bobax-D also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails.
W32/Bobax-D attempts to modify the HOSTS file located at %SYSTEM \Drivers\etc\HOSTS, mapping selected anti-virus websites to the address 255.255.255.255 in an attempt to prevent access to these sites.
W32/Bobax-D will also attempt to disable the Microsoft Windows firewall.
W32/Bobax-D will also set the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4