W32/Bobax.A!worm
Analysis
Specifics
This 32-bit virus has a packed file size of 20,480 bytes.
This threat takes advantage of a vulnerability of a
buffer overflow in Local Security Authority Subsystem
Service (LSASS) [ref: MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx].
The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
This virus attempts to locate vulnerable systems by
first scanning random IP addresses on target TCP port
5000. Systems which respond are then targeted by the
exploit using TCP port 445.
Load At Windows Startup
If this virus is run, it will copy itself to the System32
folder as a randomly named EXE file such as "jrfptt.exe".
The virus will have a related Mutex named "00:24:03:54A9D"
- if this Mutex already exists, the virus assumes it
has infected the system and will not run. The virus
will register itself to load at each Windows startup,
as in these examples -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"943A7E92" = C:\WINNT\System32\jrfptt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"B9D56238" = C:\WINNT\System32\jrfptt.exe
Search For Targets
The virus will begin scanning random IP addresses on
a destination TCP port 5000. Systems which respond are
then targets for Bobax - Bobax will send an buffer overflow
exploit to the target in order to gain access. Once
the target is compromised, Bobax attempts to retrieve
itself from the source system using HTTP port 80, and
then execute the virus received.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to internal
traffic using TCP ports 445 and 5000
- For Windows XP users, implement use of Personal
Firewall - this feature automatically blocks unsolicited
inbound traffic and would protect against this Internet
worm
- Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-08-27 | 71.17600 | Sig Updated |
2019-07-23 | 70.19200 | Sig Updated |
2019-07-17 | 70.04400 | Sig Updated |
2018-10-16 | 62.96900 | Sig Updated |
2018-10-09 | 62.80100 | Sig Updated |
2018-09-24 | 62.43300 | Sig Updated |
2018-09-23 | 62.42700 | Sig Updated |
2018-09-23 | 62.42600 | Sig Updated |
2018-09-23 | 62.41100 | Sig Updated |
2018-09-23 | 62.41000 | Sig Updated |