Kibuv Worm, Bobax Trojan Try Many Methods

Kibuv uses seven mechanisms to spread itself, including exploiting five Windows vulnerabilities and connecting to the FTP server installed by the Sasser worms, while Bobax seems to focus on sending out large amounts of spam.

Security experts are tracking two new threats that have emerged in the past few days, including a worm that uses seven mechanisms to spread itself.

The worm is known as Kibuv, and researchers first noticed its presence Friday. Kibuv affects all versions of Windows from 98 through Windows Server 2003 and attempts to spread through a variety of methods, including exploiting five Windows vulnerabilities and connecting to the FTP server installed by the Sasser worms.

Once its installed on a PC, Kibuv starts its own FTP server that can be used to distribute copies of the worm. It also connects to a remote IRC chat server and listens for commands, according to an analysis done by Symantec Corp. Kibuv also listens on TCP port 420 for commands.

The worm has not spread too widely as of yet, but with its variety of infection methods, experts say the potential exists for it to infect a large number of machines.

The second piece of malware that has surfaced is a Trojan that is capable of spreading semi-automatically. Known as Bobax, the Trojan can only infect machines running Windows XP and seems to exist solely for the purpose of sending out large amounts of spam, according to an analysis by LURHQ Corp., a managed security services provider.

The Trojan is dropped onto target systems via a file named Svc.exe, which then extracts a DLL and places it in the process space of Explorer.exe. Once executed, Bobax copies itself to the Windows system folder and creates two registry keys.

The Trojan then tries to connect to four Web sites, and if it gets a connection, it looks for one of four specific commands from the remote Web server.

The server, apparently controlled by the Trojans creator, can instruct the program to download and run another program, scan and infect other machines, stop scanning or send spam from a preloaded e-mail template and address list.

The interesting thing about this command sequence is that it enables the Trojans creator to send spam from remote machines without having to connect to the PCs to send each separate piece of e-mail.

/zimages/4/28571.gifClick here to read about a recent spam campaign claiming to show Osama bin Ladens capture that led to a Trojan.

When ordered to scan for new machines to infect, Bobax spawns 128 threads and begins scanning for PCs with TCP port 5000 open. If the port is open, the Trojan connects to port 445 and exploits the Windows LSASS vulnerability. Bobax then loads a copy of itself onto the new PC, and the process repeats.

This technique is an evolution of one that virus writers and spammers have been using for more than a year in which mass-mailing viruses plant spam proxies on infected machines.

/zimages/4/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Antivirus and antispam providers say they have seen just a few machines infected with Bobax as of Tuesday.

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page