W32/Bobax-DB

Aliases	Net-Worm.Win32.Bobic.am
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Email attachments Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	July 2006 (4.07)
Protection available since	22 May 2006 14:06:32 (GMT)
Detected by	All Sophos products

W32/Bobax-DB is a worm for the Windows platform.

W32/Bobax-DB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PNP (MS05-039).

W32/Bobax-DB includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Bobax-DB copies itself to <System>\<random name>.exe.

The following registry entry is created to run <filename>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\filename
angnan
<System>\<filename>.exe

W32/Bobax-DB sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Get reports about the latest virus and spyware threats delivered to your computer