This week's report on viruses and intrusions will deal with the worms Bobax.A, Bobax.B, Bobax.C, Kibuv.A and Lovgate.AF, as well as with the Trojan Ldpinch.W.
The three variants of the worm Bobax (A,B and C) are very similar, the only difference between them being the size of its infections code. The main feature of this new family is that, such as Sasser, they exploit the Windows LSASS vulnerability in order to spread. By doing so, they search the web for computers that contain the already mentioned vulnerability. If successful, Bobax sends instructions to the affected computer to download and run a copy of the worm. When these worms exploit the LSASS vulnerability, they launch a buffer overrun that restarts the computer.
Although the LSASS vulnerability only affects Windows XP/2000 operating systems, Bobax and all its variants can also affect other Windows platforms. In this second case, Bobax worms cannot spread to these computers automatically: they need users to execute a file containing a copy of themselves in order to carry out their infections.
Once they have been executed, the Bobax worms open several TCP ports, thus allowing hackers to use the affected computers as SMTP mail servers. By doing so, computers can be turned into 'zombies' for sending spam.
Kibuv.A is another imitator of Sasser, and their effects are very similar. It also exploits the LSASS vulnerability in order to spread, thus restarting the computer. Like the Bobax worms, Kibuv.A affects all the Windows operating systems, but it only spreads automatically to Windows XP/2000 computers.
Lovgate.AF is a worm with backdoor characteristics that uses several techniques to spread, such as e-mail messages, the peer-to-peer (P2P) file sharing program KaZaA, shared network resources, etc.
Once it has reached a computer, Lovgate.AF opens a port and sends an e-mail message to a remote user, in order to notify that the computer has been affected and it is accessible through the port opened.
Finally, the Trojan Ldpinch.W. has been sent massively by hackers in an e-mail message with the subject 'Important news about our soldiers in
Ldpinch.W steals confidential information on the affected computer and then sends it out to a specific e-mail address. By doing so, the virus author can use this data with malicious intent.
For further information about these and other computer threats, visit
Panda Software's Virus Encyclopedia at:
- Vulnerabilities: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection.
- Backdoor Trojan: this is a program that enters the computer and creates a backdoor through which it is possible to control the affected system without the user realizing.
More definitions at:
On receiving a possibly infected file, Panda Software's technical
staff get straight down to work. The file is analysed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.