Security Watch Letter: Dangerous Bobax Worm Hits System Files

Bobax. D is more dangerous than Sasser, but can be beat. Learn how. Plus: Turn off AIM before you walk away

Its been another busy week, with several new LSASS (MS04-011 security bulletin) vulnerability-exploiting worms appearing. Since Sasser opened the door, weve seen over a half a dozen new names, and several versions of each-- Cycle, Gaobot, Bobax, Korgo, Kibuv, and Sdbot. Gaobot and Wallon worms also attempt to exploit Windows vulnerabilities from earlier security bulletins. However, the most prolific threats are still the e-mail viruses Netsky.P, Bagel.X, and Dumaru. Sasser.B is also still at the top of the active infector lists, even though Microsoft reports that the number downloads of the MS04-011 update (which could block a Sasser infection) is four times the amount of previous ones. If you havent updated and havent gotten Sasser, youre lucky. Update now.

Our top threat of the week is the Bobax.D worm. The fourth in the family, Bobaxuses the same LSASS vulnerability that the Sasser family did. It hasnt had a Sasser-sized impact, but it has the potential (if Sasser doesnt infect the un-patched systems first). Bobax is a little more dangerous than Sasser, as it deletes and changes system files, and sets up an open e-mail relay to send spam from a victims machine. It even checks the speed of the victims connection, presumably to cherry-pick the best spam-sending systems. See our Top Threat for more information.