Trojan-Proxy.Win32.Bobax.a
| Alert Level : | Medium |
| Discovered: | May 17 2004 |
| Tag: | Trojan-Proxy-Servers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan program makes it possible for the infected machine to be used as a proxy server.
Bobax uses a vulnerability in Microsoft LSASS to propagate on command.
The Trojan is written in Microsoft Visual C , and the body is encrypted. It runs under Windows, and is 20480 bytes in size.
InstallationWhen loading, Bobax deencrypts its body and saves it as a .dll file in the temporary directory under the random name ~xxxx.tmp, with xxxx being replaced by a random hexidecimal.
This .dll file is the main Trojan component; it is packed using UPX, and is 17920 bytes in size.
When the .dll file is loaded, the executable component copies itself to the Windows system directory under a name which is a string of symbols chosen at random.
It creates the mutex 00:24:03:54A9D in the computer memory to flag its presence in the system, and writes itself to the system registry as an auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "[Random key name]" = "[Path to executable file]"
The key name is a random number in hexidecimal format.
PayloadThe Trojan receives commands from web-servers, making it possible for:
- the current version of the Trojan to be updated
- programs to be downloaded to the victim machine, and then executed
- the Trojan to propagate using a vulnerability in Microsoft LSASS
- mass mailings to be carried out from the victim machine
- the author of the program to get information about the victim machine
0
Removal Trojan-Proxy.Win32.Bobax.a instructions:
0
Need help? Live computer support via remote at SupportSpace |
