Trend Micro Virus Alert - WORM_BOBAX.P

Discussion in 'malware problems & news' started by Randy_Bell, Jun 3, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Dear Trend Micro customer,

    As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, India, Ireland, Japan, Peru, Singapore, and the United States.

    This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

    The message it sends out contains the following details:

    Subject: {blank}

    Message body: (any of the following)

    • Attached some pics that i found
    • Check this out :)
    • Hello,
    • I was going through my album, and look what I found..
    • Long time! Check this out!
    • Osama Bin Laden Captured.
    • Remember this?
    • Saddam Hussein - Attempted Escape, Shot dead
    • Secret!
    • Testing

    (followed by any of the following strings)

    • +++ Attachment: No Virus found
    • +++ F-Secure AntiVirus - You are protected
    • +++ Norman AntiVirus - You are protected
    • +++ Norton AntiVirus - You are protected
    • +++ Panda AntiVirus - You are protected
    • +++ www.f-secure.com
    • +++ www.norman.com
    • +++ www.pandasoftware.com
    • +++ www.symantec.com

    Attachment: (any of the following names followed by a .ZIP extension)

    • bush.1
    • funny.1
    • joke.1
    • pics.1
    • secret.2

    When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

    It also propagates by taking advantage of the Windows LSASS vulnerability. Furthermore, it is capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.


    TrendLabs will be releasing the following EPS deliverables:

    TMCM Outbreak Prevention Policy 179 -- already uploaded
    Official Pattern Release 2.663.00
    Damage Cleanup Template 612


    For more information on WORM_BOBAX.P, you can visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BOBAX.P
     
    Randy_Bell, Jun 3, 2005
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...