Bobax worm has limited impact here
24th May 2004 (The Star)
By RASLAN SHARIF

PETALING JAYA: A virus that can turn computers into spam "zombies" has had limited impact in Malaysia so far, experts said last week.

The spread of the Bobax trojan was first reported by antivirus companies early last week, with new variants detected several days later.

The National ICT Security and Emergency Response Centre (Niser) said there have only been a handful of reports on Bobax infections locally.

"We've not seen any dramatic increase in reports," a Niser official told In.Tech.

The official added that the most likely reason for the low infection rate was that many users had patched their computers against the vulnerability exploited by Bobax. The patch can be downloaded from Microsoft's website (www.microsoft.com/technet/security/Bulletin/MS04-011.mspx).

Antivirus software companies said Bobax resembled the Sasser virus that struck earlier this month, and affects Windows XP and Windows 2000-based computers.

The trojan's primary purpose appears to be to create a massive automated spamming network by using compromised computers to send unsolicited bulk e-mail, according to Niser.

This method of sending spam offloads almost all the bandwidth requirements of spamming onto the computers, allowing the spammer to operate with minimal cost, it added.

Bobax works by scanning TCP port 5000. If the port is found open, the trojan then connects to port 445, and executes an exploit against the vulnerable host. Once that's done, the target host can come under the control of the spammer.

Sophos Anti-Virus (www.sophos.com) said Bobax uses the same Microsoft security vulnerability exploited by Sasser to break into computers.

"Worms like Bobax are gold dust to spam gangs, giving them an easy way to build up a network of innocent computers to send their spam from," said Graham Cluley, Sophos senior technology consultant.

"If computer users take no action and simply keep their fingers crossed, they shouldn't be surprised if their computers turn into 'zombies,' launching thousands of spam messages at other Internet users," he added.

Sophos also expects Bobax to have limited impact here because of the large number of people who have already applied the Microsoft patch. Other users have also put in place firewalls since the Sasser outbreak, but the company urged users not to be complacent.

Another antivirus company, Panda Software (www.pandasoftware.com), said it had detected variants B and C of the Bobax trojan late last week.

The company said this increased "considerably" the probability of computers being infected by one of the Bobax variants.

Panda said Bobax could also infect other computers besides those running Windows XP and 2000. However, the worms do not automatically spread to these computers, doing so only when users run a file that contains a Bobax specimen.