Microsoft security software detects and removes this threat.
Win32/Bobax is a family of mass-mailing network worms that target certain versions of Microsoft Windows.
The worm can spread by sending a copy of itself as an attachment to email addresses gathered from an infected computer. It can also spread by exploiting several Windows vulnerabilities. The worm can download and run malicious files from Web sites, and can also open a backdoor to give attackers access to use the infected computer.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Bobax may take actions such as the following:
  • Create a copy of itself in <system folder> or %windir%. The file name is random for most Win32/Bobax variants.
  • Create values in the following registry keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    These changes cause the worm to run each time Windows starts and whenever a user logs on. They also cause the worm to run as a service in the current session and each time Windows starts, so the worm is always running regardless of whether any user is logged on.
  • Open and monitor a random TCP port to enable attackers to use the infected computer as a proxy.
  • Download and run files from various Web sites.
  • Drop a .dll file, inject the .dll code into the explorer.exe process space, and run the code. The .dll file that is dropped is a Win32/Bobax variant.
  • Modify registry keys to disable Windows firewall security.
  • Modify the Windows hosts file, <system folder>\drivers\etc\hosts, to block access to certain computer security and shopping Web sites.
Win32/Bobax may spread in the following ways:
  • By sending a copy of itself as an attachment to e-mail addresses that it gathers from various locations.
  • By exploiting various Windows vulnerabilities. The worm creates a thread to scan random IP addresses on TCP port 135 or 445 in order to connect to remote computers. If a connection is established, the worm may copy itself to the remote computer by exploiting one of these Windows vulnerabilities: 
    • The Microsoft Windows Plug-and-Play buffer overflow vulnerability (Microsoft Security Bulletin MS05-039)
    • The RPC DCOM vulnerability (Microsoft Security Bulletins MS03-039 and MS03-026)
    • The LSASS vulnerability (Microsoft Security Bulletin MS04-011)


The following can indicate that you have this threat on your PC:
  • Excessive, unexpected network traffic on TCP port 135 or 445.
  • Unexpected loss of Windows firewall functionality.
  • Unexpected changes to the Windows hosts file.
  • Inability to access certain computer security and shopping websites.


Alert level: Severe
This entry was first published on: Aug 18, 2005
This entry was updated on: Jul 16, 2015

This threat is also detected as:
  • W32.Bobax (Symantec)
  • W32/Bobax (Sophos)