Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


MS04-011: Bobax.C - MEDIUM RISK (at Secunia)

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:24 PM

Posted 21 May 2004 - 08:35 AM

MS04-011: Bobax.C - MEDIUM RISK (at Secunia)

W32.Bobax.C is a worm that exploits both the LSASS vulnerability using port 445 (described in Microsoft Security Bulletin MS04-011) and the DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026) using TCP port 135.

Infected computers can become email relays.

W32.Bobax.C differs from W32.Bobax.A as follows:

* Uses a different, and variable, mutex name
* Has a different size and MD5
* Performs connection speed testing
* Has the ability to update itself
* Has the ability to report system information back to the author
* Takes advantage of the DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026

While this threat may execute on Windows 95/98/Me/Server 2003-based computers, it targets only Windows 2000/XP-based computers for exploitation.


Degrades performance: Causes significant performance degradation.
Causes system instability: May cause the machine to reboot.
Compromises security settings: Allows unauthorized remote access.
Ports: 445/tcp, 5000/tcp, random ports

Port 135 Traffic Increase Due To Bobax.C

A third Bobox variant has been discovered that now uses the RPC/DCOM vulnerability on TCP port 135 in addition to the existing probes on TCP ports 445 and 5000. The DCOM exploit code in Bobax.C contains offsets for both Windows 2000 and Windows XP so Bobax.C can now infect both of these OSes where Bobax A or B could only infect Windows XP.For more details, see http://www.lurhq.com/bobax.html

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users