Neuer Wurm ''Bobax'' aufgetaucht: Gefährlicher als ''Sasser''

The dropper file is named svc.exe. When run, it extracts a DLL file from its executable and injects it into the Explorer process space.

When executed for the first time, the Bobax trojan follows these steps:

• Tests for the presence of mutex 00:24:03:54A9D. Exits if it exists, creates it if it doesn't
• Attempts to delete files from the Temp directory with a tilde prefix, cleaning up after the infection process
• Copies itself to the Windows system directory and adds to the following registry keys:

  	HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  	HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
   		[keyname] => [path to executable file]
  

  The registry key name is an 8-digit hexidecimal psuedo-random number generated from the volume ID of the disk where the system directory resides. The exe name prefix is a sequence of 5-14 randomly generated lowercase letters.

• Attempts to contact the the following sites:
  
  chilly.no-ip.info
  kwill.hopto.org
  cheese.dns4biz.org
  butter.dns4biz.org
  
  The requested URL is:
  
  http://hostname/reg?u=[8-digit hex id]&v=114
  
  The User-agent provided by the trojan when connecting to the control server is:
  
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  
  If successful, the trojan will parse the returned content looking for commands from this server. These commands may or may not be present depending on the spammer's schedule:

  	exe - Download and execute a program
  	scn - Scan and infect hosts using the MS04-011 exploit
  	scs - Stop scanning
  	prj - Send spam from template email and list of addresses provided
   

• An HTTP listener is set up on a random numbered port between 2000 and 62000
• 128 threads are started to scan for vulnerable hosts:
  • 32 threads will scan the same /16 subnet as the local host
  • 32 threads will scan the same /8 subnet as the local host
  • 64 threads will scan randomly chosen Internet addresses
• The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer.

It is unclear why the trojan author chose to only infect Windows XP systems. It could be for simplicity - the exploit will crash a system if the target OS and patchlevel does not match certain offsets in the exploit code, so limiting the target platform means you only have to send one offset. It could also be the spammer prefers to operate using home-user systems rather than corporate servers which would be more likely to be running Windows 2000.

The internal workings of the code appear similar to spam trojans we have seen before - most recently in the "Minit" trojan. This could be an indication that they at least share some of the same code if they are not written by the same author.

Update: May 19, 2004
At this time, two more variants have been discovered. Bobax.B is a minor variant with additional websites to contact. It also attempts to download files from other websites as a bandwidth-speed test. Bobax.C has introduced the ability to spread by also exploiting the RPC/DCOM vulnerability used by the Blaster worm (MS03-026/MS03-039) on TCP port 135.