Sign in with
Sign up | Sign in
Your question

Bobax.0@mm Worm threat active

Last response: in Windows 95/98/ME
Share
August 20, 2005 6:46:01 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Received in a email a zip file that contained a .scr file type which was
written as a longfilename from Ernest Elliot - WilbertZ@gmx.net [IP
37.110.137.210 (port=3121 helo=ulszf) by Gibson.hsd1.tn.comcast.net Thu, 18
Aug 2005 18:18:06 -0600. Arrival Time 19 Aug 2005 00:18:53.0012 UTC
FILETIME=[9478E940:01C5A453]. Filename attachment named "account_info.zip".
Because I was running Microsoft Spyware (Beta) the infestation failed to
install Bobax.0@mm Worm onto my computer during a open to read in notepad the
filelspec contained in the zip which would have executed but the popup showed
a threat and it was terminated successfully. Had I not done so this system a
Windows 98 SE machine would have surely become infested over the network
thats what Bobax.0@mm Worm is all about infesting network computers.

I suggest everyone use Microsoft Spyware(Beta) on their XP machine and scan
often!

--
Coming of Age at mysite - webwalking
http://webwalking.info/home.php
Hope to hear from you soon. Michael
Anonymous
August 20, 2005 2:08:16 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Michael" <al_cmjones@hotmail.com>

| Received in a email a zip file that contained a .scr file type which was
| written as a longfilename from Ernest Elliot - WilbertZ@gmx.net [IP
| 37.110.137.210 (port=3121 helo=ulszf) by Gibson.hsd1.tn.comcast.net Thu, 18
| Aug 2005 18:18:06 -0600. Arrival Time 19 Aug 2005 00:18:53.0012 UTC
| FILETIME=[9478E940:01C5A453]. Filename attachment named "account_info.zip".
| Because I was running Microsoft Spyware (Beta) the infestation failed to
| install Bobax.0@mm Worm onto my computer during a open to read in notepad the
| filelspec contained in the zip which would have executed but the popup showed
| a threat and it was terminated successfully. Had I not done so this system a
| Windows 98 SE machine would have surely become infested over the network
| thats what Bobax.0@mm Worm is all about infesting network computers.
|
| I suggest everyone use Microsoft Spyware(Beta) on their XP machine and scan
| often!
|
| --
| Coming of Age at mysite - webwalking
| http://webwalking.info/home.php
| Hope to hear from you soon. Michael

No, not really.

The suggestion is that all users have a good Anti Virus application installed and running
"On Access" scanning at all times. This worm is also associated with the Downloader-ABL
Trojan. If you have the Trojan you have a good chance of getting this worm and vice versa.

MS AS is NOT anti virus software and is not the solution for the prevention of viruses and
Internet worms, such as the Bobax, and the vast majority of Trojans. Anti virus software is
that preventative measure.

Please also note that this worm utilizes exploit code and will take advantage of the
vulnerabilities associated with "MS04-011 - KB835732"
However, vulnerability exploitation is not an issue on Win9x/ME as it is with NT4, Win2K,
WinXP and Win2003 Server.

Downloader-ABL -- http://vil.nai.com/vil/content/v_134083.htm

W32/Bobax.worm.o -- http://vil.nai.com/vil/content/v_134085.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 20, 2005 4:31:21 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

I'd reccomend AVG Free. It's my AV. It hasn't let me down yet.
Related resources
Can't find your answer ? Ask !
Anonymous
August 20, 2005 5:18:09 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "jkb" <nospam>

| I'd reccomend AVG Free. It's my AV. It hasn't let me down yet.
|

AVG is good software. It does have its limitations and it it would be good to use other "On
Access" anti virus scanners to verify a clean PC.

The following is an example report form Virus Total on a SDBot / RBot variant that AVG did
nt recognize.

This is a report processed by VirusTotal on 08/18/2005 at 22:26:17 (CET)
after scanning the file "msrcsnt.exe " file.
Antivirus Version Update Result
AntiVir 6.31.1.0 08.18.2005 no virus found
Avast 4.6.695.0 08.17.2005 no virus found
AVG 718 08.17.2005 no virus found
Avira 6.31.1.0 08.18.2005 no virus found
BitDefender 7.0 08.18.2005 Backdoor.RBot.EDF5B278
CAT-QuickHeal 7.03 08.18.2005 (Suspicious) - DNAScan
ClamAV devel-20050725 08.18.2005 no virus found
DrWeb 4.32b 08.18.2005 Win32.HLLW.MyBot.based
eTrust-Iris 7.1.194.0 08.17.2005 Win32/SDBot!Backdoor!Server.Vari
eTrust-Vet 11.9.1.0 08.18.2005 no virus found
Fortinet 2.41.0.0 08.18.2005 W32/NewThreat!Morphine
F-Prot 3.16c 08.18.2005 no virus found
Ikarus 0.2.59.0 08.18.2005 no virus found
Kaspersky 4.0.2.24 08.18.2005 Backdoor.Win32.Rbot.gen
McAfee 4562 08.18.2005 New Malware.h
NOD32v2 1.1197 08.18.2005 a variant of Win32/Rbot
Norman 5.70.10 08.17.2005 W32/Malware
Panda 8.02.00 08.18.2005 no virus found
Sophos 3.96.0 08.18.2005 W32/Rbot-Fam
Sybari 7.5.1314 08.18.2005 Backdoor.Win32.Rbot.gen
Symantec 8.0 08.18.2005 no virus found
TheHacker 5.8.2.091 08.18.2005 no virus found
VBA32 3.10.4 08.18.2005 suspected of Worm.Mytob.9


The following is a good "On Demand" anti virus tool that provides scanners for; McAfee,
Trend Micro and Sophos


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 20, 2005 5:26:59 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>


| AVG is good software. It does have its limitations and it it would be good to use other
| "On Access" anti virus scanners to verify a clean PC.

I'm sorry... That should have been ...

"AVG is good software. It does have its limitations and it it would be good to use other
"On Demand" anti virus scanners to verify a clean PC."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 20, 2005 5:42:10 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

This is a reply to both:

My computer isn't acting like it's got a virus in it. It's even picked up a
virus the Norton didn't. My brother is running Norton on XP and I've got AVG
on 98. Could have been a 98-only virus though.

About that program - you didn't mention AVG among supported vendors. Is it
really needed?
Anonymous
August 20, 2005 8:09:01 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> | About that program - you didn't mention AVG among supported vendors. Is
it
> | really needed?

> Can you rephrase the above question. What program, Multi AV ?

Yes, Multi AV. In your description - you didn't have AVG among Sophos, Trend
and McAfee Anti Virus. Do I really need Multi AV?
Anonymous
August 20, 2005 8:16:37 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "jkb" <nospam>

|
| Yes, Multi AV. In your description - you didn't have AVG among Sophos, Trend
| and McAfee Anti Virus. Do I really need Multi AV?
|

OK...

That's because the Multi AV scanning tool is an adjunct cleaning/verification tool. It is
to be used for "On Demand" scanning and co-exists with the AV application installed on the
PC. When a module is chosen from the menu, the Multi AV scanner utility will automatically
download the needed files for; McAfee, Trend or Sophos depending on the module chosen. It
will then query you if you want to perform a scan and if YES, it will then query if you want
to scan a specific location. If you choose a specific location it will just scan there. If
you don't choose a specific location (NO) it will perform a full scan of all hard disks.

So if you were to use this (for example) you would have the "On Demand" and "On Access"
scanning capabilities of AVG and the "On Demand" scanning capabilities of the other three
vendor's scanners.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 20, 2005 8:29:31 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> That's because the Multi AV scanning tool is an adjunct
cleaning/verification tool. It is
> to be used for "On Demand" scanning and co-exists with the AV application
installed on the
> PC. When a module is chosen from the menu, the Multi AV scanner utility
will automatically
> download the needed files for; McAfee, Trend or Sophos depending on the
module chosen. It
> will then query you if you want to perform a scan and if YES, it will then
query if you want
> to scan a specific location. If you choose a specific location it will
just scan there. If
> you don't choose a specific location (NO) it will perform a full scan of
all hard disks.

Is "On Demand" scan a scan you tell to start? And why McAfee, Trend, or
Sophos? Why those 3 and not say Norton or AVG?

> So if you were to use this (for example) you would have the "On Demand"
and "On Access"
> scanning capabilities of AVG and the "On Demand" scanning capabilities of
the other three
> vendor's scanners.

What's wrong with AVG?
Anonymous
August 20, 2005 8:59:48 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "jkb" <nospam>


|
| Is "On Demand" scan a scan you tell to start? And why McAfee, Trend, or
| Sophos? Why those 3 and not say Norton or AVG?
|
|
| What's wrong with AVG?
|

On Access -- Whenever a file is read from or written to media (hard disk, floppy, Flash RAM
card, etc.) it is scanned for viruses

On Demand -- Forcing a scan of selected files, locations or all files

Why; Trend Sysclean, and the Sophos and McAfee Command Line Scanners ?
Because I chose to program Multi AV to use them due to capabilities, broad-spectrum
recognition and removal of viruses and for their ease of using them in a programmed front
end.

What's wrong with AVG ?
Not much. It is both FREE and a good "On Access" and "On Demand" scanner for a Windows
based computers. However, they are slow to update the signature library for new threats as
compared to the top vendors; NOD32, Kasperski, Trend, McAfee, Sophos, etc. This is shown
in the Virus Total report I posted earlier in this thread.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 20, 2005 9:07:37 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

So, if I get Multi AV - do I have to have *another* "On Access" scanner?
Anonymous
August 20, 2005 10:04:17 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Is it really neccersary?
Anonymous
August 20, 2005 10:58:39 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> Why don't you try it and find out.

Ok, it's downloaded. Which do I choose?
Anonymous
August 21, 2005 12:12:47 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "jkb" <nospam>

>> Why don't you try it and find out.
|
| Ok, it's downloaded. Which do I choose?
|

Either; McAfee, Trend or Sophos. It's your pick from the menu.

The reboot option is there if there is a stubborn infector and you need to reboot into Safe
Mode to perform a scan.

Hitting the letters 'H' or 'h' on the menu will bring up a PDF help file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 21, 2005 12:23:38 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> Either; McAfee, Trend or Sophos. It's your pick from the menu.

I first tried Sophos. It was going *ok*, until I deleted some Cygwin files
it was scanning. It restarted so I cancelled it and started McAfee. I'm
upset with it. It's just removed all GameSpy links from my start menu
without asking me! That's AWFUL. Tell you when it's done :-((.
Anonymous
August 21, 2005 1:14:33 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> > Either; McAfee, Trend or Sophos. It's your pick from the menu.
>
> I first tried Sophos. It was going *ok*, until I deleted some Cygwin files
> it was scanning. It restarted so I cancelled it and started McAfee. I'm
> upset with it. It's just removed all GameSpy links from my start menu
> without asking me! That's AWFUL. Tell you when it's done :-((.

This is worse than ever. It's wiped out GS almost entirely! I think I should
have stuck with AVG :-|. It's got Bobax in it's virus definitions.
Anonymous
August 21, 2005 2:26:02 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

> This is worse than ever. It's wiped out GS almost entirely! I think I
should
> have stuck with AVG :-|. It's got Bobax in it's virus definitions.


I've given up on it. McAfee was going along through thousands of files, I
tried to start a program and bang. All went down the tube. I'm sorry about
this, and I appreciate your trying to help me.
Anonymous
August 22, 2005 6:19:31 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Sat, 20 Aug 2005 16:59:48 -0400, "David H. Lipman"
>From: "jkb" <nospam>

>| Is "On Demand" scan a scan you tell to start? And why McAfee, Trend, or
>| Sophos? Why those 3 and not say Norton or AVG?
>| What's wrong with AVG?

>On Access -- Whenever a file is read from or written to media (hard disk, floppy, Flash RAM
>card, etc.) it is scanned for viruses

>On Demand -- Forcing a scan of selected files, locations or all files

>Why; Trend Sysclean, and the Sophos and McAfee Command Line Scanners ?
>Because I chose to program Multi AV to use them due to capabilities, broad-spectrum
>recognition and removal of viruses and for their ease of using them in a programmed front
>end. What's wrong with AVG ? Not much. It is both FREE and a good "On Access"
>and "On Demand" scanner for a Windows based computers.

A lot goes about what is easier to use, especially when it comes to
formal use (e.g. from a CDR boot with zero HD code footprint).

WHat makes a good on-access scanner does not make a good on-demand
scanner; in fact, it can be quite the opposite. A good on-demand
scanner is deeply-integrated into the system, and not a thing happens
that it's not privvy to. You can only have one such deeply-integrated
av per system; more than one, and they will trip over each other.

In contrast, an on-demand scanner that is being formally used, can
have no integration with the target at all. If it were present in the
infected system, that presence may well have been compromised,
trojan'd or booby-trapped by the malware by now.

Some av vendors offer both sorts of scanners, and often that share the
same update data. For example, F-Prot has an command-line
non-resident engine as part of the Windows product, as well as a free
DOS engine that works in a similar was from DOS mode. McAfee does the
same with the ScanPM.exe non-resident command-line engine, and then
they offer a free narrow-focus scanner called Stinger that catches
only 50 or so malware, but they are the most common 50 or so.

Trend offers SysClean, which is very frequently updated, has a very
wide range of cover for traditional malware, and is entirely
self-contained for formal, non-integrated use.

In contrast, some vendors such as Symantec, Sophos etc. offer a number
of single-malware cleaners, which are great if you know what you are
dealing with, but it's impractical to download and run all of them
one after the other. Sophos and NOD32 have DOS-based scanners free
for evaluation, but there's no broad-range tools like Stinger or
SysClean - and DOS tools have problems "seeing everything" from
Windows on NTFS, even when that's formally booted.

Some Windows-based av are handy to use "from orbit", and king of the
pack is Free AntiVir (I've also seen it catch things the others
missed). But both Norton and AVG are so deeply-entrenched into the OS
they install into, that they just don't work when plonked on a Bart
CDR and run from there. I tried, with AVG, but the registry settings
etc. were such a pain that I just gave up.

OTOH, both Norton and AVG may have "rescue" diskette-based scanners,
but I think these are still DOS-based, and have the same limitations
especially when confronted with NTFS. They can't "see" the NTFS from
DOS mode, and from Windows, the OS blocks access to some stuff.



>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -
Anonymous
August 22, 2005 1:09:17 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

What's your AV?
!