Bobax Removal Tool

Bobax Removal Tool crack / serial

Bobax Removal Tool is a lightweight application that can fight off the Bobax worm, versions A and C.

Version A (exploits the LSASS vulnerability - see Microsoft Security Bulletin MS04-011):

Bobax Removal Tool

Download Bobax Removal Tool crack and serial

 

The worm comes as an EXE, but its main functionality is contained in a DLL embedded in the EXE. The EXE was written in Assembler and/or C, linked with the linker in Visual C++ 6 and encrypted with a simple algorithm; the DLL was written in Visual C++ 7.10 and packed with UPX.

When run, the EXE decrypts itself, gets the functions it needs from kernel32 and user32, drops the embedded DLL to a temporary file with the name starting with a '~' character and attempts to inject and run the DLL in the address space of the process that owns the Shell_TrayWnd window (Windows Explorer) using the classic VirtualAllocEx/WriteProcessMemory/CreateRemoteThread method (this works on NT versions of Windows); if it fails, it calls RegisterServiceProcess to hide itself from the Task Manager (on Windows 9x) and loads and runs the DLL in its own address space. In either case, the DLL's exported function "Run" is called with a parameter containing the current command line; this way, the pathname of the EXE is known by the DLL.

The DLL uses a mutex called "00:24:03:54A9D" to avoid multiple copies of itself running. A thread is created to check for Internet connection and copy the IP of the local machine to a global string every 5 seconds.

In order to uniquely identify the infected machine, the serial number of the harddisk drive containing the Windows folder (or the C: drive) is used to generate an 8 hexadecimal digits string.

All files in the temporary folder that have the name starting with '~' are deleted (including the dropped DLL); the EXE is copied to the Windows System folder in two files named [5 to 14 random letters].exe; the registry entries HKLMSoftwareMicrosoftWindowsCurrentVersionRun[hdd id] and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices[hdd id] are created to run these files at every startup.

The main routine waits for a connection to Internet; it attempts to access a script on the following hosts:

- http://chilly[X].no-ip.infob

- http://kwill[X].hopto.org

- http://cheese[X].dns4biz.org

- http://butter[X].dns4biz.org

- http://[5 to 12 random letters].dns4biz.org

where [X] loops through all hexadecimal digits.

The script is called "reg"; the worm reports the hdd id and the version of the worm (114 for Bobax.A). The reply must include the hdd id as the first 8 characters; the rest of the reply specifies a command and an argument to that command; the following actions can be performed, depending on the command:

- "upd": An EXE is downloaded from a specified URL and launched; the worm ends its execution;

- "exe": An EXE is downloaded from a specified URL; the worm doesn't end its execution;

- "scn": Infects other machines. The worm creates an HTTP server on a random port between 2000 and 61999; any client that connects is given the copy of the worm to download (as image/gif); this is used to upload the copy of the worm to the exploited machines.

The IP's to infect are generated from the local IP by keeping the first 1 or 2 bytes and generating random values for the last bytes; 128 threads are created in order to infect 128 machines (65 of these threads keep only the 1st byte of the local IP and modify the other 3; the other 63 keep the first 2 bytes of the local IP and modify the other 2). The worm first attempts a connection to TCP port 5000 of the target IP; it then sends the exploit SMB packets to the LSASS service on TCP port 445. The exploit code will download a copy of the worm from the HTTP server as "svc.exe" and run it.

- the worm can download some data that is used to set up an email relay; the data is downloaded from a specified host's "get" script to a temporary file named [crc of full URL]_[hdd id].tmp; the data is checked for integrity using a simple hash function; a status

- the worm can also report some progress information to a "status" script on a specified website;

- "spd": reports the following information to a "speed" script running on a specified website: hdd id, Internet connection speed (number of bytes per second when downloading a maximum of 512 KB from a specified URL), RAM size, total free space on fixed drives, operating system version, CPU type & speed, IP, screen resolution.

Version C is similar to version A, but besides the LSASS vulnerability, it also attempts to infect other machines by exploiting the DCOM RPC vulnerability (see Microsoft Security Bulletin MS03-039) (packets are sent to TCP port 135).

It reports version 117 instead of 114 to the "reg"scripts; it opens one of the following URL's:

- g.msn.com/7MEEN_US/EN/SETUPDL.EXE;

- ftp.newaol.com/aim/win95/Install_AIM.exe;

- download.microsoft.com/download/f/a/a/faa796aa-399d-437a-9284-c3536e9f2e6e/Windows2000-KB835732-x86-ENU.EXE;

- download.microsoft.com/download/6/1/5/615a50e9-a508-4d67-b53c-3a43455761bf/WindowsXP-KB835732-x86-ENU.EXE;

- download.yahoo.com/dl/mac/ymsgr_2.5.3-ppc_install.bin.

It also tries to open the following URL besides the ones listed for A:

- http://[5 to 12 random letters].no-ip.info.

Released: Aug 5th 2010 Rating: 4.6
Size: 56 KB Downloads: 4231
Systems: Win All

User replies

14 September 2018, luciano said:

спасибі за кряк для Bobax Removal Tool

25 May 2018, Gustavo said:

thank you

13 January 2018, Jennifer said:

muito obrigado pela crack do Bobax Removal Tool

Leave a reply

Your email will not be published. * Required fields

Website search

Recently updated

Free Virus Removal Tool for W32/Vilsel Trojan Free Virus Removal Tool for W32/Vilsel Trojan Erase the Vilsel trojan from your computer
Free Virus Removal Tool for W32/Piker Trojan Free Virus Removal Tool for W32/Piker Trojan Finds and auto-deletes files infected with Piker, a Trojan whose goal is to take screenshots of your computer and steal personal information
Happy99 Virus Scanner and Remover Happy99 Virus Scanner and Remover This is a useful application for getting rid of the Happy99 malware

Software News

Mar 28
Germany's air traffic control agency says it has resolved a software problem that has forced it to reduce flight capacity over part of the country for the past week.
Mar 27
Android: Researchers tell troubling findings of pre-installed software
A study "An Analysis of Pre-installed Android Software" says pre-installed Android apps amount to a boatload of privacy issues. Just ask IMDEA Networks Institute, Stony Brooks University, Universidad Carlos II de Madrid and ...
Mar 27
Make a choice: Do you want to engage with your media passively or actively?
Mar 26
Chromium-based Edge browser yet to launch but early peeks are positive
What a concept. Rebuild Microsoft Edge (yes, please do) and have it run with Chromium (hmm, ok)? That is what is happening with the Microsoft launch to come soon. And comments are already coming forth, with a build of the ...
Mar 25
Professor Andreas Schütze and his team of experts in measurement and sensor technology at Saarland University have released a free data processing tool called simply Dave-is a MATLAB toolbox that allows rapid evaluation ...
Mar 22
A free, open-source toolkit to help researchers deal with data management overload has been devised by the John Innes Centre Informatics team.
Mar 16
Rock, scissors, flower, box. Lookout informs blind
It looks as if Microsoft and Google are making 2019 the year of impressive gains in maximizing AI as a technology enabler for people with low vision and blindness. Microsoft and Google have both recently sent out good news ...

About us

Welcome to new crack resource CrackDownloadz.com! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.