W32/Bobax.AH@mm
Analysis
This threat is heavily packed and has the capability to distribute itself to targets in two ways:
(1) by connecting with other vulnerable systems using
an MS05-039 based exploit, and
(2) by sending a copy of itself via SMTP email
When spreading via email, the virus composes email messages which may appear credible in some aspects, however clues do give it away as a forgery.
Loading at Windows Startup
This threat writes itself to the System32 folder by
a random name and alters the registry so the threat
will run at each Windows startup as in this example
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"gXRMKH\" = C:\WINNT\System32\lckmiliiaro.exe
SMTP Email Distribution
This threat captures email addresses from the target
system by scanning common files for valid email addresses.
After gathering numerous addresses, the threat generates
randomly crafted emails and sends a copy to others.
Potential body texts:
Saddam Hussein - Attempted Escape, Shot dead\n
Attached some pics that i foundOsama Bin Laden Captured.\n
Attached some pics that i foundTesting
Secret!
Hey,
Remember this?Hello,
Long time! Check this out!Hey,
I was going through my album, and look what I found..Hey,
Check this out :-)
The threat adds a copy of itself to the outbound messages.
HOSTS modification routine
This variant alters the local "HOSTS" file
in an effort to block access to Antivirus and security
related web addresses. The virus overwrites the "HOSTS"
file with misconfigured information so that attempts
to reach certain addresses resolve to the IP 255.255.255.255.
Below is an excerpt from modified HOSTS file -
255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |