Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Uses the LSASS security hole, sent by email.
The worm scans random IP addresses and tries to connect to TCP port 5000. The worm needs to find Windows XP systems. If a connection is established, the following action happens:
Sends shell codes through TCP port 445
Downloads the executable worm copy with a .gif file and runs it.
Opens a random port and waits for incoming connections. The worm starts its SMTP server routine through the ports and uses the infected computer to pass on Spam.
When activated, Worm/Bobax copies itself in %System%\%random name%.exe and makes the registry entries, for automatic start:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "%randomname%="%System%\%randomname%.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ "%randomname%" = "%System%\%random name%.exe"
The worm deletes all files in %Temp%, starting with "~". It creates a %randomname%.dll file in %Temp%. This .dll contains the main function of the worm. This dll will be started with EXPLORER.EXE, so that the actual application is no longer visible in the tasklist.
The worm tries to contact the webserver. It needs a unique ID code, for sending the infection.
The following attack actions can follow:
- sending spam emails
- sending system information to the author
- stop and start of IP addresses scanning
- downloading and opening files.
Description inserted by Crony Walker on Tuesday, June 15, 2004