W32/Bobandy-D

Please follow the instructions for removing worms.

W32/Bobandy-D is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-D have the following characteristics:

Subject line:

Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
SpawN

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098

free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098

please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098

thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

The attached file will have one of the following names:

MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
TITTA'S Picture.jar

When first run W32/Bobandy-D copies itself to:

<Startup>\sql.cmd
<User>\Templates\o<random digits>z\Tux<random characters>.exe
<User>\Templates\o<random digits>z\service.exe
<User>\Templates\o<random digits>z\winlogon.exe
<Windows folder>\Ti<random characters>tta.exe
<Windows folder>\m<random digits>\EmangEloh.exe
<Windows folder>\m<random digits>\Ja<random characters>bLay.com
<Windows folder>\m<random digits>\smss.exe
<Windows folder>\sa-<random digits>.exe
<Windows system folder>\<random digits>l.exe
<Windows system folder>\X<random digits>go\Z<random digits>cie.cmd

W32/Bobandy-D will also copy itself to the following locations:

<Program Files>\Common Files\Microsoft Shared\
<Program Files>\Movie Maker\Shared\
<Windows folder>\Downloaded Program Files\
<Windows folder>\ime\shared\
<Windows folder>\pchealth\UploadLB\
<Windows folder>\SoftwareDistribution\Download\

As any one of the following file names:
TutoriaL HAcking
Lagu - Server
Data DosenKu
Titip Folder Jangan DiHapus
Love Song
The Best Ungu
Norman virus Control 5.18
Blink 182
Windows Vista setup
Gallery
RaHasIA
noGods
appActive
open
EmangEloh.exe
smss
service
Data
Foto
New Folder(2)
New Folder
Porn

W32/Bobandy-D also creates the following harmless files:

\[TheMoonlight].txt

W32/Bobandy-D creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
T<random characters>
<Windows folder>\sa-<random digits>.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
T<random characters>T4
<Windows system folder>\<random digits>l.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <User>\Templates\o<random digits>z\Tux<random characters>.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe, <Windows folder>\m<random digits>\Ja<random characters>bLay.com

W32/Bobandy-D sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
msconfig.exe
<Windows folder>\notepad.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
regedit.exe
<Windows folder>\notepad.exe

HKLM\SYSTEM\ControlSet002\Safeboot
AlternateShell
<random digits>l.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKCU\Software\VB and VBA Program Settings\noGods\appActive
HKLM\SOFTWARE\Microsoft\TUX\Path\
HKLM\SOFTWARE\Microsoft\TUX\biang\

W32/Bobandy-D attempts to copy itself to the root folders of all mapped drives.

W32/Bobandy-D harvests email addresses from files on the infected computer.