Ya ahora ante dos nuevas variantes de un mismo virus, BOBAX, si bien todavía no hemos tenido incidencias, se recomenda la actualizacion de los parches de microsoft a todas las máquinas con sistemas operativos de tecnología NT (XP y W2000), aunque cada día son menos los ordenadores sin actualizar los parches, se recomienda especialmente hacerlo a la vista de que este agujero está siendo usado cada vez mas por nuevos virus.
Relacion de virus conocidos hasta la fecha que usan esta vulnerabilidad LSASS (parche MS04-011(:
SASSER A, B, C, D, E , F y G
CYCLE A, B
KiBuV, A, B
BOBAX
Con todos ellos, aplicando los parches se impide su entrada (especialmente el MS04-011) y en nuestra utilidad ELILSA.EXE vamos acumulando las eliminaciones correspondientes.
Para el nuevo BOBAX adelantamos la descripcion de McAfee, pudiendose controlar desde ahora conn los DATS diarios, ejecutando el SDATDAILY.EXE.
__________________________________________
Virus Name Risk Assessment
W32/Bobax.worm.a Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 05/17/2004
Origin: Unknown
Length: 20,480 bytes (EXE)
17,920 bytes (DLL)
Type: Virus
SubType: Internet Worm
Minimum DAT: 4361 (05/19/2004)
Updated DAT: 4361 (05/19/2004)
Minimum Engine: 4.2.40
Description Added: 05/17/2004
Description Modified: 05/17/2004 7:28 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].
Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:
The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.
Top of Page
Symptoms
The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "(random string)" = %SysDir%\(random filename).exe
(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)
When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.
Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs. The following Window may be displayed:
Top of Page
Method Of Infection
Initial analysis suggests the worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell. Then the worm is downloaded from the attacking host via HTTP.
Please note - this worm is still under analysis and description will be updated once complete.
Top of Page
Removal Instructions
Detection and removal is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
__________________________________________
saludos
ms, 17-05-2004