Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Bobax.worm.a, TrojanProxy.Win32.Bobax.a
Size:20.480 Bytes 
Damage:Uses the LSASS security hole, sent by email. 
VDF Version: 

DistributionThe worm scans random IP addresses and tries to connect to TCP port 5000. The worm needs to find Windows XP systems. If a connection is established, the following action happens:
Sends shell codes through TCP port 445
Downloads the executable worm copy with a .gif file and runs it.
Opens a random port and waits for incoming connections. The worm starts its SMTP server routine through the ports and uses the infected computer to pass on Spam.

Technical DetailsWhen activated, Worm/Bobax copies itself in %System%\%random name%.exe and makes the registry entries, for automatic start:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "%randomname%="%System%\%randomname%.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ "%randomname%" = "%System%\%random name%.exe"

The worm deletes all files in %Temp%, starting with "~". It creates a %randomname%.dll file in %Temp%. This .dll contains the main function of the worm. This dll will be started with EXPLORER.EXE, so that the actual application is no longer visible in the tasklist.
The worm tries to contact the webserver. It needs a unique ID code, for sending the infection.
The following attack actions can follow:
- sending spam emails
- sending system information to the author
- stop and start of IP addresses scanning
- downloading and opening files.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .