W32/Bobandy-C

Aliases	Worm.Win32.VB.cz W32/MoonLight.worm WORM_VB.BLW Win32/NoonLight
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2006 (4.12)
Protection available since	18 October 2006 22:51:52 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Bobandy-C.

More Information

Summary
Action
More Information

W32/Bobandy-C is a mass-mailing worm for the Windows platform.

W32/Bobandy-C spreads by emailing itself to the email addresses harvested from the infected computer.

W32/Bobandy-C also attempts to spread by copying itself to shared folders of a number of Peer to Peer (P2P) filesharing applications. W32/Bobandy-C is a mass-mailing worm for the Windows platform.

W32/Bobandy-C spreads by emailing itself to the email addresses harvested from the infected computer.

W32/Bobandy-C also attempts to spread by copying itself to shared folders of a number of Peer to Peer (P2P) filesharing applications.

When first run W32/Bobandy-C copies itself to:

<Startup>\xz.cmd
<User>\Templates\<random number>\<random number>.exe
<User>\Templates\<random number>\service.exe
<User>\Templates\<random number>\winlogon.exe
<Windows>\<random number>.exe
<Windows>\<random number>\bb<random number>l.com
<Windows>\<random number>\smss.exe
<Windows>\<random number>\system.exe
<Windows>\l<random number>.exe
<Windows>\lsass.exe
<System>\<random number>a\c6738430.cmd
<System>\<random number>l.exe
<System>\moonlight.scr

(Note: <random number> may vary)

and creates the following files:

<System>\syscon.sys
<Windows>\MoonLight.txt
<Windows>\Renungan.html

These files are not malicious and can be safely deleted.

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random number>
<Windows>\<random number>.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random number>
<System>\<random number>l.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\
Common Startup
<System>\<random number>a

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
explorer.exe, <User>\Templates\<random number>\<random number>.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
<random number>.exe

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\titta\version\
HKCU\Software\VB and VBA Program Settings\untukmu2\version\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bobandy-C

Summary

Action

More Information