W32/Bobandy-F

Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Included in our products from	December 2007 (4.24)
Protection available since	31 January 2007 08:44:30 (GMT)
Last updated	18 October 2007 01:52:06 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

More Information

Summary
Action
More Information

W32/Bobandy-F is a mass-mailing worm for the Windows platform.

W32/Bobandy-F spreads by emailing itself to the email addresses harvested from the infected computer.

W32/Bobandy-F also attempts to spread by coping itself to the available folders popular used by Peer to Peer (P2P) filesharing applications.

When first run W32/Bobandy-F copies itself to:

<My Documents>\<My Music>\My Music.exe
<My Documents>\<My Pictures>\My Pictures.exe
<Windows>\lsass.exe
<Windows>\QSF7N0S.exe
<Windows>\VDM2H2G.exe
<Windows>\NTC4D7O\<random characters>.com
<Windows>\NTC4D70\regedit.cmd
<Windows>\NTC4D70\service.exe
<Windows>\NTC4D70\smss.exe
<Windows>\NTC4D70\system.exe
<Windows>\NTC4D70\winlogon.exe
<Windows>\NTC4D70\XPV6I4O.exe
<System>\<random characters>\CTS3C8U.cmd
<System>\<random characters>.exe

and creates the following files:

<Windows>\cypreg.dll
<Windows>\MoonLight.txt
<System>\MSWINSCK.ocx531
<System>\systear.dll
<System>\msvbvm60.dl
<Windows>\onceinabluemoon.mid

These files are not malicious.

The following registry entries are set to run W32/Bobandy-F on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\<random characters>.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <Windows>\NTC4D7O\\XPV6I4O.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<random characters>.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\NTC4D7O\<random characters>.com

The following registry entries are set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCR\exefile
(default)
File Folder

HKCR\scrfile
(default)
File Folder

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
0

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bobandy-F

Summary

Action

More Information