1/12: Bobax-D Worm Exploits LSASS Flaw
January 12, 2005

W32/Bobax-D is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate. When run, W32/Bobax-D creates a helper dll in the temp folder with a random name. When the dll is loaded the executable component copies itself to the Windows system folder under a random name.

This dll is injected into Explorer as a separate thread, so is not visible as a separate process.

The worm listens on a randomly chosen tcp port which the worm then includes in outbound traffic so infected systems can connect back.

W32/Bobax-D also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails. It will also attempt to disable the Microsoft Windows firewall.

More information can be found at Sophos page.