MS04-011: Bobax.C - MEDIUM RISK (at Secunia) http://secunia.com/virus_information/9513/
W32.Bobax.C is a worm that exploits both the LSASS vulnerability using port 445 (described in Microsoft Security Bulletin MS04-011) and the DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Infected computers can become email relays.
W32.Bobax.C differs from W32.Bobax.A as follows:
* Uses a different, and variable, mutex name
* Has a different size and MD5
* Performs connection speed testing
* Has the ability to update itself
* Has the ability to report system information back to the author
* Takes advantage of the DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026
While this threat may execute on Windows 95/98/Me/Server 2003-based computers, it targets only Windows 2000/XP-based computers for exploitation.
Degrades performance: Causes significant performance degradation.
Causes system instability: May cause the machine to reboot.
Compromises security settings: Allows unauthorized remote access.
Ports: 445/tcp, 5000/tcp, random ports
Port 135 Traffic Increase Due To Bobax.C http://www.incidents.org/diary.php?date=2004-05-20
A third Bobox variant has been discovered that now uses the RPC/DCOM vulnerability on TCP port 135 in addition to the existing probes on TCP ports 445 and 5000. The DCOM exploit code in Bobax.C contains offsets for both Windows 2000 and Windows XP so Bobax.C can now infect both of these OSes where Bobax A or B could only infect Windows XP.For more details, see http://www.lurhq.com/bobax.html