The Web    Google
1/12: Bobax-D Worm Exploits LSASS Flaw

1/12: Bobax-D Worm Exploits LSASS Flaw
January 12, 2005

W32/Bobax-D is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate. When run, W32/Bobax-D creates a helper dll in the temp folder with a random name. When the dll is loaded the executable component copies itself to the Windows system folder under a random name.

This dll is injected into Explorer as a separate thread, so is not visible as a separate process.

The worm listens on a randomly chosen tcp port which the worm then includes in outbound traffic so infected systems can connect back.

W32/Bobax-D also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails. It will also attempt to disable the Microsoft Windows firewall.

More information can be found at Sophos page.

  • 11/8: IRC.Bifrut Trojan Lets Attacker In
  • 10/21: Bloodhound.Exploit-17 Detects Files
  • It's Time to Talk Mobile Phone Security
  • 10/28: Backdoor.Futro a Server Program
  • 6/4: Agobot.300544 a Memory Resident
  • RIM Refutes BlackBerry Buffer Overflow Claim
  • McAfee Taps Grid Power, Web Services To Boost Security
  • 7/21: Lovgate-V Worm Provides Remote Access
  • 3/3: VBS.Allem Worm a Mass-Mailing Worm
  • 6/8: Trojan.Dingsta.A Logs Keystrokes
  • Sober-I Hits Hard, Nears Nov. Title Spot
  • Security Camera Related Information