W32/Bobax.A!worm

description-logoAnalysis


Specifics
This 32-bit virus has a packed file size of 20,480 bytes. This threat takes advantage of a vulnerability of a buffer overflow in Local Security Authority Subsystem Service (LSASS) [ref: MS04-011 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx].

The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

This virus attempts to locate vulnerable systems by first scanning random IP addresses on target TCP port 5000. Systems which respond are then targeted by the exploit using TCP port 445.
Load At Windows Startup
If this virus is run, it will copy itself to the System32 folder as a randomly named EXE file such as "jrfptt.exe". The virus will have a related Mutex named "00:24:03:54A9D" - if this Mutex already exists, the virus assumes it has infected the system and will not run. The virus will register itself to load at each Windows startup, as in these examples -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"943A7E92" = C:\WINNT\System32\jrfptt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"B9D56238" = C:\WINNT\System32\jrfptt.exe

Search For Targets
The virus will begin scanning random IP addresses on a destination TCP port 5000. Systems which respond are then targets for Bobax - Bobax will send an buffer overflow exploit to the target in order to gain access. Once the target is compromised, Bobax attempts to retrieve itself from the source system using HTTP port 80, and then execute the virus received.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block external to internal traffic using TCP ports 445 and 5000
  • For Windows XP users, implement use of Personal Firewall - this feature automatically blocks unsolicited inbound traffic and would protect against this Internet worm
  • Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2019-08-27 71.17600 Sig Updated
2019-07-23 70.19200 Sig Updated
2019-07-17 70.04400 Sig Updated
2018-10-16 62.96900 Sig Updated
2018-10-09 62.80100 Sig Updated
2018-09-24 62.43300 Sig Updated
2018-09-23 62.42700 Sig Updated
2018-09-23 62.42600 Sig Updated
2018-09-23 62.41100 Sig Updated
2018-09-23 62.41000 Sig Updated