W32/Bobandy-D

Please follow the instructions for removing Trojans.

W32/Bobandy-D is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-D have the following characteristics:

Subject line:

Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
SpawN

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098

free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098

please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098

thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

The attached file will take one of the following names:

MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
TITTA'S Picture.jar

When first run W32/Bobandy-D copies itself to:

<Startup>\sql.cmd
<User>\Templates\o<random digits>z\Tux<random characters>.exe
<User>\Templates\o<random digits>z\service.exe
<User>\Templates\o<random digits>z\winlogon.exe
<Windows>\Ti<random characters>tta.exe
<Windows>\m<random digits>\EmangEloh.exe
<Windows>\m<random digits>\Ja<random characters>bLay.com
<Windows>\m<random digits>\smss.exe
<Windows>\sa-<random digits>.exe
<System>\<random digits>l.exe
<System>\X<random digits>go\Z<random digits>cie.cmd

W32/Bobandy-D will also copy itself to the following locations:

<Program Files>\Common Files\Microsoft Shared\
<Program Files>\Movie Maker\Shared\
<Windows>\Downloaded Program Files\
<Windows>\ime\shared\
<Windows>\pchealth\UploadLB\
<Windows>\SoftwareDistribution\Download\

As any one of the following file names:
TutoriaL HAcking
Lagu - Server
Data DosenKu
Titip Folder Jangan DiHapus
Love Song
The Best Ungu
Norman virus Control 5.18
Blink 182
Windows Vista setup
Gallery
RaHasIA
noGods
appActive
open
EmangEloh.exe
smss
service
Data
Foto
New Folder(2)
New Folder
Porn

W32/Bobandy-D also creates the following harmless file:

\[TheMoonlight].txt

W32/Bobandy-D creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
T<random characters>
<Windows>\sa-<random digits>.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
T<random characters>T4
<System>\<random digits>l.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <User>\Templates\o<random digits>z\Tux<random characters>.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe, <Windows>\m<random digits>\Ja<random characters>bLay.com

W32/Bobandy-D sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
msconfig.exe
<Windows>\notepad.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
regedit.exe
<Windows>\notepad.exe

HKLM\SYSTEM\ControlSet002\Safeboot
AlternateShell
<random digits>l.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\untukmu
HKCU\Software\VB and VBA Program Settings\noGods
HKLM\SOFTWARE\Microsoft\TUX

W32/Bobandy-D attempts to copy itself to the root folders of all mapped drives.

W32/Bobandy-D harvests email addresses from files on the infected computer.