Panda Software Warns of Two New Variants of the Bobax Worm

PandaLabs has also detected the appearance of the Trojan Ldpinch.W, which hides in e-mail messages with the subject: "Important news about our soldiers in IRAQ!!!"
 
PandaLabs has detected variants B and C of the Bobax worm, two new malicious codes which join Bobax.A, discovered some days ago. As a result, the probability of computers being infected by one of the Bobax worms has increased considerably.

Like the Sasser family of worms, the three Bobax variants exploit the Windows LSASS vulnerability to spread. These worms try to access a large number of IP addresses to see if the computers they belong to have the LSASS vulnerability.

If that is the case, Bobax sends instructions to the affected computer to download a copy of the worm. Also, when any of the Bobax worms exploits the LSASS vulnerability, a buffer overrun is produced that causes the affected system to restart.

Even though the LSASS vulnerability affects only Windows XP and 2000 systems, Bobax and its variants can also spread to the other Windows platforms. However, in the latter case, the worms do not automatically spread to computers, but the user must run a file that contains a Bobax specimen for the system to be infected.

Once installed on a computer, the Bobax worms open several random communication ports, which could allow a remote user to use the affected system as an SMTP server for sending mail. In this way, targeted computers could become > '> zombies> '>  for sending spam.
PandaLabs has also detected e-mails carrying the new Trojan Ldpinch.W. Even though this is not an extremely dangerous malicious code, it takes advantage of headline news the Iraq conflict, to trick users and infect their computers.

The message that carries Ldpinch.W has the following characteristics:
Subject:
Important news about our soldiers in IRAQ!!!
Message:
Seven officers was lost today,
follow the link to get the full story.
[Internet address]
Attached file:
IMPORTANT INFORMATION.ZIP, which in turn contains the file IMPORTANT INFORMATION.SCR.
The Internet address shown in the message includes information on the Iraq war. However, if the user runs the attached file, Ldpinch.W will be installed on the computer.

This Trojan is designed to steal confidential information from the system and send it to a predetermined e-mail address. In this way, the virus creator could use the stolen data in a fraudulent manner.
In order to prevent your computer from falling victim to any of the Bobax worms or Ldpinch.W, Panda Software (UK) advises users to tighten security measures and keep their antiviruses updated. Panda Software (UK) has made the updates necessary to its products available to clients to detect and disinfect these new malicious codes.

In order to avoid attacks from Bobax or its variants it is necessary to install the Microsoft patch http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx that fixes the LSASS vulnerability.
More information about these and other IT threats is available in > '> Panda Softwares Virus Encyclopedia http://www.pandasoftware.com/virus_info/encyclopedia/.