W32/Bobax.AH@mm

Analysis

This threat is heavily packed and has the capability to distribute itself to targets in two ways:

(1) by connecting with other vulnerable systems using an MS05-039 based exploit, and
(2) by sending a copy of itself via SMTP email

When spreading via email, the virus composes email messages which may appear credible in some aspects, however clues do give it away as a forgery.

Loading at Windows Startup
This threat writes itself to the System32 folder by a random name and alters the registry so the threat will run at each Windows startup as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"gXRMKH\" = C:\WINNT\System32\lckmiliiaro.exe

SMTP Email Distribution
This threat captures email addresses from the target system by scanning common files for valid email addresses. After gathering numerous addresses, the threat generates randomly crafted emails and sends a copy to others.

Potential body texts:

Saddam Hussein - Attempted Escape, Shot dead\n
Attached some pics that i found

Osama Bin Laden Captured.\n
Attached some pics that i found

Testing

Secret!

Hey,
Remember this?

Hello,
Long time! Check this out!

Hey,
I was going through my album, and look what I found..

Hey,
Check this out :-)

The threat adds a copy of itself to the outbound messages.

HOSTS modification routine
This variant alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 255.255.255.255. Below is an excerpt from modified HOSTS file -

255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option