W32/Bobax-C

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/
<random eight character name> = <path to worm>

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
<random eight character name> = <path to worm>

and delete them if they exist.

Close the registry editor.

W32/Bobax-C is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate.

When run W32/Bobax-C creates a helper dll in the temp folder with a random name. When the DLL is loaded the executable component copies itself to the Windows system folder under a random name.

W32/Bobax-C sets the following registry entries in order to auto-start on user logon:

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/
<random eight character name> = <path to worm>

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
<random eight character name> = <path to worm>

This DLL is injected into Explorer as a separate thread, so is not visible as a separate process.

The worm listens on a randomly chosen tcp port in the range 2000-62000 which the worm then includes in outbound traffic so infected systems can connect back.

W32/Bobax-C also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails.