Weekly Report on Viruses and Intrusions – Bobay A/B/C, Kibuv.A and Lovgate.AF Worms
This week’s report on viruses and intrusions will deal with the worms Bobax.A, Bobax.B, Bobax.C, Kibuv.A and Lovgate.AF, as well as with the Trojan Ldpinch.W.
The three variants of the worm Bobax (A,B and C) are very similar, the only difference between them being the size of its infections code. The main feature of this new family is that -like Sasser- they exploit the Windows LSASS vulnerability in order to spread. By doing so, they search the web for computers that contain the already mentioned vulnerability. If successful, Bobax sends instructions to the affected computer to download and run a copy of the worm. When these worms exploit the LSASS vulnerability, they launch a buffer overrun that restarts the computer.
Although the LSASS vulnerability only affects Windows XP/2000 operating systems, Bobax and all its variants can also affect other Windows platforms. In this second case, Bobax worms cannot spread to these computers automatically: they need users to execute a file containing a copy of themselves in order to carry out their infections.
Once they have been executed, the Bobax worms open several TCP ports, thus allowing hackers to use the affected computers as SMTP mail servers. By doing so, computers can be turned into ‘zombies’ for sending spam.
Kibuv.A is another imitator of Sasser, and their effects are very similar. It also exploits the LSASS vulnerability in order to spread, thus restarting the computer. Like the Bobax worms, Kibuv.A affects all the Windows operating systems, but it only spreads automatically to Windows XP/2000 computers.
Lovgate.AF is a worm with backdoor characteristics that uses several techniques to spread, such as e-mail messages, the peer-to-peer (P2P) file sharing program KaZaA, shared network resources, etc.
Once it has reached a computer, Lovgate.AF opens a port and sends an e-mail message to a remote user, in order to notify that the computer has been affected and it is accessible through the port opened.
Finally, the Trojan Ldpinch.W. has been sent massively by hackers in an e-mail message with the subject ‘Important news about our soldiers in IRAQ!!!’. The message contains a text on the conflict in Iraq, and includes a link to a web page with information on that issue. This e-mail message contains the compressed attached file IMPORTANT INFORMATION.ZIP which, at the same time, contains the file IMPORTANT INFORMATION.SCR. When the user runs this file, Ldpinch.W will be installed on the computer.
Ldpinch.W steals confidential information on the affected computer and then sends it out to a specific e-mail address. By doing so, the virus author can use this data with malicious intent.