Bobax, discovered late Sunday in the US, uses the same Microsoft security vulnerability as the fast-spreading Sasser worm, but it looks to be slower.
"The seriousness of Bobax is about a three or four (on a scale of 10). It's attacking systems that are already vulnerable to Sasser. If you have Sasser, then you could see an additional slow down with your computer, but not necessarily," said Craig Schmugar, virus research manager for McAfee Alert Antivirus Center. "Bobax can also make your computer reboot, but not as frequently as with Sasser."
Bobax exploits a vulnerability in a Windows security component known as the Local Security Authority Subsystem Service. The LSASS flaw is present in all recent versions of Windows, but Bobax is programmed to target only the XP operating system. Once established on a system, Bobax contacts a Web site and gets instructions on what to do next, such as sending spam or running other programs.
"This worm has more of an ulterior motive than Sasser," Schmugar said.
But Bobax's infection rate is far less severe than Sasser's, antivirus experts said.
Antivirus-software maker Sophos expects Bobax's impact to be more limited. That's because a number of computer systems have already received the Microsoft patch for the LSASS flaw and have shored up their firewalls and antivirus protection. The worm's spread is also inhibited because it is targeting only XP, said Schmugar.
"We're not seeing as many machines affected as with Sasser," Schmugar said, noting that Bobax has infected about one-tenth the 500,000 to 1 million machines racked up by Sasser.
