MA-074.052004: MyCERT Special Alert - Bobax Trojan
Recently MyCERT received report from local user and observed in a particular organization's network of some scannings to port TCP/5000. Upon detail analysis from our side, we discovered the active scannings to port TCP/5000 is due to the propagation of a new semi-automated spreading trojan,the Bobax trojan.
Bobax is a new, Sasser-like trojan proxy that uses the MS04 -011 (LSASS.EXE) vulnerability to propagate. When instructed to do so it scans random IP addresses for vulnerable computers. The trojan was discovered on 17th May 2004 (US Pacific Time). Its primary purpose appears to be to create a massive automated spamming network. Bobax sends the mail using a template and a list of email addresses. This has the benefit of offloading almost all the bandwidth requirements of spamming onto the trojaned machines, allowing the spammer to operate with minimal cost.
The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer. Currently, we received information that the above trojan only targets Windows XP machines only.
More information on this worm and technical details is available at:
MyCERT's observation/assesment shows that currently the propagation of the trojan in Malaysia is still at a low level, based on the report and traffic information received from other local ISPs. However, we would like to alert users/organizations of the existence/propagation of the new trojan and to take precautious measures to defend against the trojan.
MyCERT strongly urges that all machines are to be patched with the Microsoft LSASS patch (Microsoft Security Bulletin MS04-011) to prevent infection and propagation of the trojan.
The patch can be downloaded at:
System/host should also install personal firewall to block port 445/TCP.
Note: Windows XP machines already includes the Internet Connection Firewall (ICF).
MyCERT is available for assistance and can be reached at:
Pager (24x7): http://www.mycert.org.my/report/pager/IRpager.html