Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
TrojanProxy.Win32.Bobax. Viruses Information

Name: TrojanProxy.Win32.Bobax.
Category: Viruses
Description: Details
TrojanProxy.Win32.Bobax.a

This Trojan program makes it possible for the infected machine to be used as a proxy server.
Bobax uses a vulnerability in Microsoft LSASS to propagate on command.
The Trojan is written in Microsoft Visual C++, and the body is encrypted. It runs under Windows, and is 20480 bytes in size.
Installation
When loading, Bobax deencrypts its body and saves it as a .dll file in the temporary directory under the random name ~xxxx.tmp, with xxxx being replaced by a random hexidecimal.
This .dll file is the main Trojan component; it is packed using UPX, and is 17920 bytes in size.
When the .dll file is loaded, the executable component copies itself to the Windows system directory under a name which is a string of symbols chosen at random.
It creates the mutex 00:24:03:54A9D in the computer memory to flag its presence in the system, and writes itself to the system registry as an auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
"[Random key name]" = "[Path to executable file]"
The key name is a random number in hexidecimal format.
Payload
The Trojan receives commands from web-servers, making it possible for:
the current version of the Trojan to be updated
programs to be downloaded to the victim machine, and then executed
the Trojan to propagate using a vulnerability in Microsoft LSASS
mass mailings to be carried out from the victim machine
the author of the program to get information about the victim machine



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Worm.Qa
TrojanDownloader.Win32.Small.c
Patsy.57
Mirage_II.727.
Pentago
I-Worm.Gali
Zmt.25
Dune.64
Dennis.65
Pac-Man Famil


 

© 2006-2008 spyware32.com - Privacy Policy