high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2007 (4.18) |
| Protection available since | 21 March 2007 06:13:25 (GMT) |
| Last updated | 10 May 2007 06:20:28 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Bobandy-I is a mass-mailing worm for the Windows platform.
W32/Bobandy-I spreads by emailing itself to the email addresses harvested from the infected computer.
W32/Bobandy-I also attempts to spread by coping itself to the available folders popular used by Peer to Peer (P2P) filesharing applications.
When first run W32/Bobandy-I copies itself to:
<My Documents>\<My Music>\My Music.exe
<My Documents>\<My Pictures>\My Pictures.exe
<Windows>\lsass.exe
<Windows>\QSF7N0S.exe
<Windows>\VDM2H2G.exe
<Windows>\NTC4D7O\<random characters>.com
<Windows>\NTC4D70\regedit.cmd
<Windows>\NTC4D70\service.exe
<Windows>\NTC4D70\smss.exe
<Windows>\NTC4D70\system.exe
<Windows>\NTC4D70\winlogon.exe
<Windows>\NTC4D70\XPV6I4O.exe
<System>\<random characters>\CTS3C8U.cmd
<System>\<random characters>.exe
and creates the following files:
<Windows>\cypreg.dll
<Windows>\MoonLight.txt
<System>\MSWINSCK.ocx531
<System>\systear.dll
<System>\msvbvm60.dl
<Windows>\onceinabluemoon.mid
These files are not malicious.
Emails sent by W32/Bobandy-I have the following characteristics:
Subject lines chosen from:
hey Indonesian porn
Agnes Monica pic's
Fucking With Me :D
please read again what i have written to you
miss Indonesian
Cek This
Japannes Porn
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa BSI Margonda smt 4
yah aku sedang membutuhkan pekerjaan
CoolMan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
File attachments may arrive as:
Doc 4166354.zip
need you 6243883.zip
need you 6381956.zip
video 9534116.zip
W32/Bobandy-I attempts to copy itself to the root folders of all mapped drives.
W32/Bobandy-I harvests email addresses from files on the infected computer and includes functionality to terminate security and anti-virus related processes and record keystrokes.
The following registry entries are set to run W32/Bobandy-I on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\<random characters>.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <Windows>\<random characters>.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<random characters>.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\NTC4D7O\<random characters>.com
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCR\exefile
(default)
File Folder
HKCR\scrfile
(default)
File Folder
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
0
|
