New Bobax worm copies Sasser exploit

A new worm that turns infected computers into launch pads for spam and other attacks is making the rounds, according to antivirus experts.

Bobax, which was discovered on Sunday, uses the same Microsoft security vulnerability as the fast-spreading Sasser worm, but it looks to be slower.

Craig Schmugar, virus research manager for McAfee Alert Antivirus Centre, said: "The seriousness of Bobax is about a three or four [on a scale of 10]. It's attacking systems that are already vulnerable to Sasser. If you have Sasser, then you could see an additional slow down with your computer, but not necessarily. Bobax can also make your computer reboot, but not as frequently as with Sasser."

Bobax exploits a vulnerability in a Windows security component known as the Local Security Authority Subsystem Service (LSASS). The LSASS flaw is present in all recent versions of Windows, but Bobax is programmed to target only the XP operating system. Once established on a system, Bobax contacts a website and gets instructions on what to do next, such as sending spam or running other programs.

"This worm has more of an ulterior motive than Sasser," Schmugar said.

But Bobax's infection rate is far less severe than Sasser's, antivirus experts said.

Antivirus firm Sophos expects Bobax's impact to be more limited because a number of computer systems have already received the Microsoft patch for the LSASS flaw and have shored up their firewalls and antivirus protection. The worm's spread is also inhibited because it is targeting only XP, said Schmugar.

"We're not seeing as many machines affected as with Sasser," Schmugar said, noting that Bobax has infected about one-tenth the 500,000 to one million machines racked up by Sasser.

Dawn Kawamoto writes for CNET News.com