March 16, 2010
Hot topics :

5/18: Bobax-A Exploits LSASS Vulnerability

Security vendors Tuesday issued a low-level threat alert for Bobax.A, a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated, according to Panda Software.

Bobax.A restarts the computer automatically when it attempts to exploit the already mentioned vulnerability.

Bobax.A only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.

Bobax.A opens several random ports through which a remote user can use the affected computer as a mail server in order to send spam.

Threat Alerts
More »
Latest Malware
Most Dangerous Malware

If you have a Windows XP/2000 computer, it is highly recommendable to download the security patch for the LSASS vulnerability from the Microsoft website.

More information is at this Panda Software page.

W32.Bobax.A is a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin MS04-011), according to Symantec. Infected computers may be used as an email relay.

Technical details are at this Symantec page.

According to Trend Micro, Worm_Bobax.A exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

  • MS04-011_MICROSOFT_WINDOWS
  • Microsoft Security Bulletin MS04-011

    • It sends a specially crafted packet to TCP port 445, which instructs the target machine to download a worm copy from an HTTP server. It also opens random ports on the infected system, listening for incoming connections. These random ports emulate an SMTP (Simple Mail Transfer Protocol) server where a remote user may send email messages using the infected system as a mail server.

    It runs on Windows 95, 98, NT, ME, 2000, and XP.

    Technical details are at this Trend Micro page.

    Trojan/Worm Copies Itself to Poorly Protected Network Shares

    W32/Sdbot-MV is an IRC backdoor Trojan and network worm that copies itself to network shares protected by weak passwords, according to Sophos, which issued an alert Tuesday. When first run W32/Sdbot-MV copies itself to the Windows system folder as alien.exe and creates the following registry entries to ensure it is run at system logon:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Synchronization Manager = alien.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Synchronization Manager = alien.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft Synchronization Manager = alien.exe

    Each time W32/Sdbot-MV is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer via IRC channels.

    Commands include downloading and executing remote files.

    More information is at this Sophos page.

    Trojan Allows Unathorized Access From IRC Channels

    Troj/SdBot-BI is an IRC backdoor Trojan which allows unauthorized access and control of the computer from IRC channels, according to Sophos.

    Upon execution Troj/SdBot-BI displays the fake error message "'Error-38427 A valid dll file was not found, Windows is now deleting file."

    In order to run automatically when Windows starts up the Trojan copies itself to the file mmsnmessengerupdate.exe in the Windows system folder and adds the following registry entry to ensure it is started on computer logon:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ svshostdriver = msnmessengerupdate.exe

    Lovgate Variant Performs Several Functions

    W32.Lovgate.W@mm is a variant of W32.HLLW.Lovgate@mm that:

  • Attempts to reply to all the email messages in the Microsoft Outlook inbox.
  • Scans files with .txt, .pl, .wab, .adb, .tbb, .dbx, .asp, .php, .sht, and .htm extensions for email addresses and uses its own SMTP engine to send itself to the address it finds.
  • Attempts to copy itself to Kazaa shared folders and all computers on a local network.

    • The "sender" of the email is spoofed and its subject line and message vary. The attachment name varies with a .bat, .cmd, .exe, .pif, or .scr file extension. It may also send a .zip file, containing an executable, as an attachment.

    This threat is written in the C++ programming language and is compressed with JDPack and ASPack.

    Technical details are at this Symantec page.

    Trojan Tries to Steal Passwords, Bank Information

    Backdoor.Nibu.F is a Trojan horse that attempts to steal passwords and bank-account information.

    Note: Virus definitions dated May 17, 2004 may detect this threat as W32.Dumaru.AJ@mm. Technical details are at this Symantec page.

    VBS Worm Spreads Using Outlook

    VBS.Apulia.G@mm is a nondestructive mass-mailing VBScript worm. It spreads using Microsoft Outlook. The email has a variable subject and attachment. The attachment will most likely have a .vbs file extension.

    Technical details are at this Symantec page.

    --Compiled by Esther Shein

    1
    IT Offers

    Partners



















    The Network for Technology Professionals

    Search:

    About Internet.com

    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers

    Solutions

    Whitepapers and eBooks

    Intel Whitepaper: 2010 Intel Core vPro Processors Overview
    Article: Adobe Helps PHP Developers Create Rich Internet Applications
    Article: Reduce Your Infrastructure Costs with Microsoft System Center
    Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
    Article: Security Enhancements Abound in Windows Server 2008
    Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
    Microsoft Whitepaper: Improve Communications and Collaboration
    		 Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
    Microsoft Personalized Whitepapers and Resources for You
    Microsoft Articles: Visual Studio 2010
    Adobe Article: Java Developers Finding a Home at Adobe Flex
    Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES

    Webcasts

    Micro Focus Webcast: Boosting the Impact and Effectiveness of Software Development QA and Testing
    Microsoft Webcast: Simplified Access and Single Sign-On
    		Intel Video: 2010 Intel Core Processor Technologies
    MORE WEBCASTS, PODCASTS, AND VIDEOS

    Downloads and eKits

    Adobe Download: Tour de Flex Application and Explore Flex
    HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
    		 Iron Speed Designer Application Generator
    MORE DOWNLOADS, EKITS, AND FREE TRIALS

    Tutorials and Demos

    Free Adobe Online Flex Training: Check Out this Video Training Course Here
    Learn Unified Communications
    Learn SQL Server 2008
    Learn Windows Server 2008 R2
    Internet.com Hot List: Get the Inside Scoop on IT and Developer Products
    		 Learn Forefront
    Learn System Center
    All About Botnets
    Learn SharePoint
    MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES