The Web    Google
1/12: Bobax-D Worm Exploits LSASS Flaw

1/12: Bobax-D Worm Exploits LSASS Flaw
January 12, 2005

W32/Bobax-D is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to propagate. When run, W32/Bobax-D creates a helper dll in the temp folder with a random name. When the dll is loaded the executable component copies itself to the Windows system folder under a random name.

This dll is injected into Explorer as a separate thread, so is not visible as a separate process.

The worm listens on a randomly chosen tcp port which the worm then includes in outbound traffic so infected systems can connect back.

W32/Bobax-D also carries an email relay module, allowing infected computers to be used for transmission of unsolicited emails. It will also attempt to disable the Microsoft Windows firewall.

More information can be found at Sophos page.

  • 2/11: Rbot-VT Worm Has Backdoor Ability
  • House Renews Anti-Spyware Push
  • 9/7: Sdbot-RY Worm Runs in Background
  • 2/3: Rbot-SQ Worm Has Backdoor Abilities
  • CEO Warns Threats are Coming from the Inside
  • A New Breed of Phish
  • AOL's AIM Puts Browser Security in Danger
  • 2/21: MyDoom-BE Worm Harvests Addresses
  • Understanding and Preventing DDoS Attacks
  • Data Brokers Step Into Senate Panel's Fire
  • Platform Logic Wraps OS, Apps With Security Protections
  • Security Camera Product