Regcleaner

[martymas]

i saw something to night i hadent seen before

a friend got a trojon worm

but couldent delete it even in safe mode

but before he knew it was a virus

he thought it was spy ware so i suggested he install regcleaner

well tonight he rang and said it was a trojon worm

and said he deleted it through regcleaner

by typing the name in the find box and

and at the bottom of the window

was the option remove selected.

wich he did and that was the end of the worm.

ive used regcleaner for five years.

and i didnt know you could use it for that purpose.

i have deleted the reminents of OSES

but not viruses.

any one experienced this

hope its true

marty

[Chappy]

Hi Marty

As you probably remember, I'm not a big fan of registry cleaners but I doubt that your friend has completely gotten that trojan/worm out of the system by deleting just one entry. It probably is disabled but many bits may still be present.

BTW, you can't have a trojan worm, you have one or the other as they are different things.

Does your friend have the name of the Trojan or Worm? If so, we can search on it and maybe we can come up with some proper cleaning instructions to get the remnants out.

[martymas]

Hi Marty

As you probably remember, I'm not a big fan of registry cleaners but I doubt that your friend has completely gotten that trojan/worm out of the system by deleting just one entry. It probably is disabled but many bits may still be present.

BTW, you can't have a trojan worm, you have one or the other as they are different things.

Does your friend have the name of the Trojan or Worm? If so, we can search on it and maybe we can come up with some proper cleaning instructions to get the remnants out.

hi chappy

yes i know you are apposed to reg cleaners

and i agree with you

if you stuff up your reg

your in trouble

i never use regcleaner for that purpose

most times it is redundant on my sys

but i put it there to get rid of certains

but i never go outside of the rules.

back to my friends virus

it was my typing that was the problem

i didnt see a worm OR a trojon

ok it was a worm

and it was called WORM_BOBAX.P

i havent heard of it but i pasted it into the search box

and this is what it says

as you know i very rarely get a virus tho ive had a couple.but a long time ago

so this article woud be better understood by you than me.

they use win ME.

as he isnt home at the moment this is all the info his wife emailed to me.

hope that is enough for you to

anilyse.

----------------------------------------------------------------------------------------------

QUICK LINKS Understanding New Pattern Format | Printer Friendly Page

--------------------------------------------------------------------------------

Malware type: Worm

Aliases: W32.Bobax.Z@mm, W32/Bobax.worm, Win32.Bobax.U

In the wild: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Characteristics: Propagates through Network Shares, Propagates via email

Overall risk rating: Medium

--------------------------------------------------------------------------------

Reported infections: Low

Damage potential: High

Distribution potential: High

--------------------------------------------------------------------------------

Description:

As of June 3, 2005 1:38 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this worm is currently spreading in the United States, Singapore, Ireland, Japan, Peru, Australia, and India.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

Comments/Suggestions

We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedbacks.

Malware Overview

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: (any of the following)

• bush

• Cool

• funny

• joke

• pics

• secret

Message body: (any of the following)

• Attached some pics that i found

• Check this out :-)

• Hello,

• I was going through my album, and look what I found..

• Long time! Check this out!

• Osama Bin Laden Captured.

• Remember this?

• Saddam Hussein - Attempted Escape, Shot dead

• Secret!

• Testing

(followed by any of the following strings)

• +++ Attachment: No Virus found

• +++ F-Secure AntiVirus - You are protected

• +++ Norman AntiVirus - You are protected

• +++ Norton AntiVirus - You are protected

• +++ Panda AntiVirus - You are protected

• +++ www.f-secure.com

• +++ www.norman.com

• +++ www.pandasoftware.com

• +++ www.symantec.com

Attachment: (a .ZIP file that may use any of the following names)

• bush

• funny

• joke

• pics

• secret

(The attachment file names may have any of the following extensions:)

• EXE

• PIF

• SCR

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

Below is a sample screenshot of the actual email:

It also takes advantage of the Windows LSASS vulnerability. For more information about this vulnerability, please refer to the following Microsoft page:

Microsoft Security Bulletin MS04-011

This worm is also capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.

For additional information about this threat, see:

Solution

Technical Details

Statistics

Description created: Jun. 2, 2005 3:19:32 PM GMT -0800

Description updated: Jun. 3, 2005 10:17:57 AM GMT -0800

Search a new malware

Printer Friendly Page

Tell us how we did. Take our quick survey.