VirusW32/Bobax.B!worm
Analysis
- It copies itself to undefinedSYSTEM32undefined as <random_characters>.exe
- It adds value "<random_characters>" = "undefinedSYSETM32undefined\<random_characters>.exe" to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- It drops a .dll file in the undefinedTempundefined folder that has a random name and a .tmp extension. This .dll file
contains the worm's main functionality. It injects the .dll file into Explorer.exe and then ends its own
.exe process.
- It attempts to contact a remote Web server using a unique ID code as notification of the infection. The response will contain commands activating certain features, which include:
Sending spam mail
Sending system information to the author
Stopping and starting IP addresses scanning
Downloading and running executables
- It scans randomly generated IP addresses, attempting to connect to them on TCP port 5000. If a connection is made, the worm does the following:
Sends shell code to the host on TCP port 445, attempting to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability.
If successful, the code that is executed on the remote computer uses HTTP to force a connection back to the infected computer on a random port.
It downloads an executable copy of the worm, with a .gif extension, and executes it. - It attempts to contact a remote Web server using a unique ID code as notification of the infection. The response will contain commands activating certain features, which include:
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |