Trojan-Proxy.Win32.Bobax.a

tag:Trojan-Proxy-Servers  

0 0

This Trojan program makes it possible for the infected machine to be used as a proxy server.

Bobax uses a vulnerability in Microsoft LSASS to propagate on command.

The Trojan is written in Microsoft Visual C , and the body is encrypted. It runs under Windows, and is 20480 bytes in size.

Installation

When loading, Bobax deencrypts its body and saves it as a .dll file in the temporary directory under the random name ~xxxx.tmp, with xxxx being replaced by a random hexidecimal.

This .dll file is the main Trojan component; it is packed using UPX, and is 17920 bytes in size.

When the .dll file is loaded, the executable component copies itself to the Windows system directory under a name which is a string of symbols chosen at random.

It creates the mutex 00:24:03:54A9D in the computer memory to flag its presence in the system, and writes itself to the system registry as an auto-run key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"[Random key name]" = "[Path to executable file]"

The key name is a random number in hexidecimal format.

Payload

The Trojan receives commands from web-servers, making it possible for:

  • the current version of the Trojan to be updated
  • programs to be downloaded to the victim machine, and then executed
  • the Trojan to propagate using a vulnerability in Microsoft LSASS
  • mass mailings to be carried out from the victim machine
  • the author of the program to get information about the victim machine

©Virus-Encyclopedia.com All Rights Reserved.