Bobax worm takes tip from Sasser

A new worm, tagged as low risk, is making the rounds inside some PCs infected by Sasser.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Dawn Kawamoto
Staff Writer, CNET

A new worm that turns infected computers into launch pads for spam and other attacks is making the rounds, antivirus experts said Wednesday.

Bobax, discovered late Sunday, uses the same as the fast-spreading worm, but it looks to be slower.

"The seriousness of Bobax is about a three or four (on a scale of 10). It's attacking systems that are already vulnerable to Sasser. If you have Sasser, then you could see an additional slow down with your computer, but not necessarily," said Craig Schmugar, virus research manager for McAfee Alert Antivirus Center. "Bobax can also make your computer reboot, but not as frequently as with Sasser."

Bobax exploits a vulnerability in a Windows security component known as the Local Security Authority Subsystem Service. The LSASS flaw is present in all recent versions of Windows, but Bobax is programmed to target only the XP operating system. Once established on a system, Bobax contacts a Web site and gets instructions on what to do next, such as sending spam or running other programs.

"This worm has more of an ulterior motive than Sasser," Schmugar said.

But Bobax's infection rate is far less severe than Sasser's, antivirus experts said.

Antivirus-software maker Sophos expects Bobax's impact to be more limited. That's because a number of computer systems have already received the Microsoft patch for the LSASS flaw and have shored up their firewalls and antivirus protection. The worm's spread is also inhibited because it is targeting only XP, said Schmugar.

"We're not seeing as many machines affected as with Sasser," Schmugar said, noting that Bobax has infected about one-tenth the 500,000 to 1 million machines racked up by Sasser.

Editor's Picks

Free Newsletters, In your Inbox