WORM_BOBAX.C

from Trend Newsletter: WORM_BOBAX.C is a non-destructive worm that exploits the Windows LSASS vulnerability. This buffer overrun vulnerability allows an attacker to gain full control of an infected system. For more information on this vulnerability, please visit Microsoft’s Web site. This worm is currently spreading in-the-wild and runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm installs itself in the Windows system folder using random file names. It also drops a .DLL file in the Windows Temp folder with the name <random number>.TMP.

It also creates a registry entry that allows it to automatically execute at every system startup.

This malware also checks whether the following mutex exists, and to ensure that only one instance of itself is running in memory: 06:08:07:<random>. It then deletes its executed copy.

As part of its propagation routine, it sends a specially crafted packet to a specific port. This packet of data instructs the target machine to download the worm copy from an HTTP server. It saves this downloaded file as SVC.EXE.

If you would like to scan your computer for WORM_BOBAX.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BOBAX.C is detected and cleaned by Trend Micro pattern file #892 and above.