Bobax.a Bobax.b and Bobax.c Virus Warning

- Panda Software warns of two new variants of the Bobax worm -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 19 2004 - PandaLabs has detected variants B and C of the Bobax
worm, two new malicious codes which join Bobax.A, discovered some days ago.
As a result, the probability of computers being infected by one of the Bobax
worms has increased considerably.

Like the Sasser family of worms, the three Bobax variants exploit the
Windows LSASS vulnerability to spread. These worms try to access a large
number of IP addresses to see if the computers they belong to have the LSASS
vulnerability.

If that is the case, Bobax sends instructions to the affected computer to
download a copy of the worm. Also, when any of the Bobax worms exploits the
LSASS vulnerability, a buffer overrun is produced that causes the affected
system to restart.

Even though the LSASS vulnerability affects only Windows XP and 2000
systems, Bobax and its variants can also spread to the other Windows
platforms. However, in the latter case, the worms do not automatically
spread to computers, but the user must run a file that contains a Bobax
specimen for the system to be infected.

Once installed on a computer, the Bobax worms open several random
communication ports, which could allow a remote user to use the affected
system as an SMTP server for sending mail. In this way, targeted computers
could become 'zombies' for sending spam.

PandaLabs has also detected e-mails carrying the new Trojan Ldpinch.W. Even
though this is not an extremely dangerous malicious code, it takes advantage
of headline news -the Iraq conflict-, to trick users and infect their
computers.
The message that carries Ldpinch.W has the following characteristics:

Subject:
Important news about our soldiers in IRAQ!!!

Message:
Seven officers was lost today,
follow the link to get the full story.
[Internet address]

Attached file:
IMPORTANT INFORMATION.ZIP, which in turn contains the file IMPORTANT
INFORMATION.SCR.

The Internet address shown in the message includes information on the Iraq
war. However, if the user runs the attached file, Ldpinch.W will be
installed on the computer.

This Trojan is designed to steal confidential information from the system
and send it to a predetermined e-mail address. In this way, the virus
creator could use the stolen data in a fraudulent manner.

In order to prevent your computer from falling victim to any of the Bobax
worms or Ldpinch.W, Panda Software advises users to tighten security
measures and keep their antiviruses updated. Panda Software has made the
updates necessary to its products available to clients to detect and
disinfect these new malicious codes.

In order to avoid attacks from Bobax or its variants it is necessary to
install the Microsoft patch that fixes the LSASS vulnerability. You can
download this patch from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

More information about these and other IT threats is available in Panda
Software's Virus Encyclopedia at
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, the users can scan their computers on line for free with the
ActiveScan solution, available in the company web page
http://www.pandasoftware.com.