More on the Bobax worm and A, B, and C variants

- Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 21, 2004 - This week's report on viruses and intrusions will
deal with the worms Bobax.A, Bobax.B, Bobax.C, Kibuv.A and Lovgate.AF, as
well as with the Trojan Ldpinch.W.

The three variants of the worm Bobax (A, B and C) are very similar, the only
difference between them being the size of its infections code. The main
feature of this new family is that -like Sasser- they exploit the Windows
LSASS vulnerability in order to spread. By doing so, they search the web for
computers that contain the already mentioned vulnerability.

Bobax sends instructions to the affected computer to download and run a copy
of the worm. When these worms exploit the LSASS vulnerability, they launch a
buffer overrun that restarts the computer.

Although the LSASS vulnerability only affects Windows XP/2000 operating
systems, Bobax and all its variants can also affect other Windows platforms.
In this second case, Bobax worms cannot spread to these computers
automatically: they need users to execute a file containing a copy of
themselves in order to carry out their infections.

Once they have been executed, the Bobax worms open several TCP ports, thus
allowing hackers to use the affected computers as SMTP mail servers. By
doing so, computers can be turned into 'zombies' for sending spam.

Kibuv.A is another imitator of Sasser, and their effects are very similar.
It also exploits the LSASS vulnerability in order to spread, thus restarting
the computer. Like the Bobax worms, Kibuv.A affects all the Windows
operating systems, but it only spreads automatically to Windows XP/2000
computers.

Lovgate.AF is a worm with backdoor characteristics that uses several
techniques to spread, such as e-mail messages, the peer-to-peer (P2P) file
sharing program KaZaA, shared network resources, etc.

Once it has reached a computer, Lovgate.AF opens a port and sends an e-mail
message to a remote user, in order to notify that the computer has been
affected and it is accessible through the port opened.

Finally, the Trojan Ldpinch.W. has been sent massively by hackers in an
e-mail message with the subject 'Important news about our soldiers in
IRAQ!!!'. The message contains a text on the conflict in Iraq, and includes
a link to a web page with information on that issue. This e-mail message
contains the compressed attached file IMPORTANT INFORMATION.ZIP which, at
the same time, contains the file IMPORTANT INFORMATION.SCR. When the user
runs this file, Ldpinch.W will be installed on the computer.

Ldpinch.W steals confidential information on the affected computer and then
sends it out to a specific e-mail address. By doing so, the virus author can
use this data with malicious intent.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Vulnerabilities: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

- Backdoor Trojan: this is a program that enters the computer and creates a
backdoor through which it is possible to control the affected system without
the user realizing.

More definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx