Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Bobax.C, W32/Bobax.worm.c, TrojanProxy.Win32.Bobax.c
Type:Trojan 
Size:22,528 Bytes 
Origin:unknown 
Date:05-18-2004 
Damage:Uses LSASS security hole, spreads by email and listens on TCP Ports. 
VDF Version:6.25.00.79 
Danger:Low 
Distribution:Medium 

DistributionThe worm scans random IP addresses and tries to connect to TCP port 5000 to find more Windows XP systems. Then the worm opens Port 135 of the remote computer to check the interface of RPC DCOM.

When connection is made, the following will happen:
- sends Shell codes over TCP Port 445;
- tries to use the Microsoft Windows LSASS security hole buffer overrun;
- if it could not use the security hole, the worm sends its file over TCP Port 135 to use the DCOM RPC security hole;
- if one of the two trials succeeds, the code is run and HTTP is used for connecting to the host computer, on a random port;
- downloading the worm from the host computer and saving it on the remote computer as Svc.exe or as an executable file with .gif extension;
- the worm is run on the remote computer.

It opens a random port and waits for further connections. The worm runs its SMTP server routine and sends spam from the infected computer.

Technical DetailsWhen activated, the worm Proxy.Bobax.c makes a mutex "06:08:07:%random number%". So it verifies if there is active any other of its own tasks on the system. It copies itself in %System%\%random characters%.exe and tries to make these two registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
"%Variable%" = "%SystemDIR%\%filename%.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
"%Variable%" = "%SystemDIR%\%filename%.exe"

These entries will automatically start the worm by every system start. The worm deletes all files in %Temp% having names starting with "~". It drops a %random name%.tmp in %Temp%. This file is actually a .DLL and contains the main function of the worm. This file will be started only with EXPLORER.EXE process, so that it will not be seen in the task list.

The worm tries to download the following files from certain web sites, to test the speed of the internet connection. Then it tries to connect to a web server. It uses an unique ID code, to spread the infection. It can do the following:
- send spam mails;
- send system information to the author;
- stops and starts scanning for IP addresses;
- download and start files;
- self-update.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .