Heads UP: Suspicious file not detected by most virusscanners.

Kevin Miller Kevin_Miller at CI.JUNEAU.AK.US
Fri Jun 3 15:55:59 IST 2005

Stijn Jonker wrote:
> Hash: SHA1
> Hello all,
> I just received 2 copies of an mail containing a text that Osama Bin
> Laden was captured, with an attachment of pics.zip (900 bytes).

Just an FYI.  Trend Micro sent this out this morning.  Looks like having
double extension checking on will help filter them out too, if the
name.1.zip pattern is consistant...


Dear Trend Micro customer,

As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs
has declared a Medium Risk Virus Alert to control the spread of
WORM_BOBAX.P. TrendLabs has received several infection reports indicating
that this malware is spreading in Australia, India, Ireland, Japan, Peru,
Singapore, and the United States.

This memory-resident worm usually arrives on a system as a downloaded file
of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an
attachment to an email message that it sends using its own Simple Mail
Transfer Protocol (SMTP) engine. 

The message it sends out contains the following details: 

Subject: {blank} 

Message body: (any of the following) 

* Attached some pics that i found 
* Check this out :-) 
* Hello, 
* I was going through my album, and look what I found.. 
* Long time! Check this out! 
* Osama Bin Laden Captured. 
* Remember this? 
* Saddam Hussein - Attempted Escape, Shot dead 
* Secret! 
* Testing 

(followed by any of the following strings) 

* +++ Attachment: No Virus found 
* +++ F-Secure AntiVirus - You are protected 
* +++ Norman AntiVirus - You are protected 
* +++ Norton AntiVirus - You are protected 
* +++ Panda AntiVirus - You are protected 
* +++ www.f-secure.com 
* +++ www.norman.com 
* +++ www.pandasoftware.com 
* +++ www.symantec.com 

Attachment: (any of the following names followed by a .ZIP extension) 

* bush.1 
* funny.1 
* joke.1 
* pics.1 
* secret.2 

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE
downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

It also propagates by taking advantage of the Windows LSASS vulnerability.
Furthermore, it is capable of modifying the system's HOSTS file in order to
prevent users from accessing certain Web sites.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 179 -- already uploaded
Official Pattern Release 2.663.00
Damage Cleanup Template 612

For more information on WORM_BOBAX.P, you can visit our Web site at:
You can modify subscription settings for Trend Micro newsletters at:

Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list