high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2008 (4.30) |
| Protection available since | 23 October 2006 22:04:49 (GMT) |
| Last updated | 28 April 2008 09:21:58 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
W32/Bobandy-D is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-D have the following characteristics:
Subject line:
Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
SpawN
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098
please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098
thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
The attached file will take one of the following names:
MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
TITTA'S Picture.jar
When first run W32/Bobandy-D copies itself to:
<Startup>\sql.cmd
<User>\Templates\o<random digits>z\Tux<random characters>.exe
<User>\Templates\o<random digits>z\service.exe
<User>\Templates\o<random digits>z\winlogon.exe
<Windows>\Ti<random characters>tta.exe
<Windows>\m<random digits>\EmangEloh.exe
<Windows>\m<random digits>\Ja<random characters>bLay.com
<Windows>\m<random digits>\smss.exe
<Windows>\sa-<random digits>.exe
<System>\<random digits>l.exe
<System>\X<random digits>go\Z<random digits>cie.cmd
W32/Bobandy-D will also copy itself to the following locations:
<Program Files>\Common Files\Microsoft Shared\
<Program Files>\Movie Maker\Shared\
<Windows>\Downloaded Program Files\
<Windows>\ime\shared\
<Windows>\pchealth\UploadLB\
<Windows>\SoftwareDistribution\Download\
As any one of the following file names:
TutoriaL HAcking
Lagu - Server
Data DosenKu
Titip Folder Jangan DiHapus
Love Song
The Best Ungu
Norman virus Control 5.18
Blink 182
Windows Vista setup
Gallery
RaHasIA
noGods
appActive
open
EmangEloh.exe
smss
service
Data
Foto
New Folder(2)
New Folder
Porn
W32/Bobandy-D also creates the following harmless file:
\[TheMoonlight].txt
W32/Bobandy-D creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
T<random characters>
<Windows>\sa-<random digits>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
T<random characters>T4
<System>\<random digits>l.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <User>\Templates\o<random digits>z\Tux<random characters>.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe, <Windows>\m<random digits>\Ja<random characters>bLay.com
W32/Bobandy-D sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
msconfig.exe
<Windows>\notepad.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
regedit.exe
<Windows>\notepad.exe
HKLM\SYSTEM\ControlSet002\Safeboot
AlternateShell
<random digits>l.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\untukmu
HKCU\Software\VB and VBA Program Settings\noGods
HKLM\SOFTWARE\Microsoft\TUX
W32/Bobandy-D attempts to copy itself to the root folders of all mapped drives.
W32/Bobandy-D harvests email addresses from files on the infected computer.
|
