W32.Bofra.D@mm

Printer Friendly Page

Discovered: November 09, 2004
Updated: November 09, 2004 5:59:07 PM
Systems Affected: Windows

W32.Bofra.D@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email addresses that it finds on an infected computer.

Discovered: November 09, 2004
Updated: November 09, 2004 5:59:07 PM
Systems Affected: Windows

This is a mass-mailing worm that exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email addresses that it finds on an infected computer.

When the worm runs, it creates the following file using random lower case letters as file name:
%System%\[randomname]32.exe

The worm create one of the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5" = "%System%\[randomname]32.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5" = "%System%\[randomname]32.exe"

It also creates one of the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version

The worm deletes the following values:
center
reactor
Rhino
Reactor3
Reactor4

from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It attempts to inject its code as a thread into the processes with a window class name of "Shell_TrayWnd" or into the process running in the foreground.

If successful, this worm will continue to run within the infected process. All the actions described in the next step will appear to be done by the infected process, and the worm will not show when viewing the process list in the Windows Task Manager.

If unsuccessful, the worm will continue to run as its own process.

The worm runs as a Web server on TCP port 1639. It hosts an index.htm file that exploits the IFRAME vulnerability (BID 11515). Viewing this file results in the remote machine downloading and runing the worm file.
NOTE: The worm may use other TCP ports beside 1639.

The worm attempts to connect to the following IRC servers on TCP port 6667:
qis.md.us.dal.net
ced.dal.net
viking.dal.net
vancouver.dal.net
ozbytes.dal.net
broadway.ny.us.dal.net
coins.dal.net
lulea.se.eu.undernet.org
diemen.nl.eu.undernet.org
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org

The worm gathers email addresses from the Windows address book and from the files with the following extensions:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab

The worm avoids sending to email addresses which meet the following criteria:

Contains any of the following strings in the recipient domain:
acketst
arin.
berkeley
bsd
fido
fsf.
gnu
google
iana
ibm.com
ietf
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
pgp
rfc-ed
ripe.
secur
sendmail
tanford.e
unix
usenet
utgers.ed

Addresses whose names begin with one of the following:
abuse
anyone
bugs
ca
contact
feste
gold-certs
help
info
me
no
nobody
noone
not
nothing
page
postmaster
privacy
rating
root
samples
secur
service
site
soft
somebody
someone
spm
submit
the.bat
webmaster
www
you
your

Addresses which contain any of the following strings:
accoun
admin
bsd
certific
google
icrosoft
linux
listserv
ntivi
spam
support
unix


Then it uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: (Spoofed)
Attachment: There is no attachment in the email

Subject: hi!
Message:
Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam
photos!

See you!

Subject: Hey!
Messgae: Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

Subject: <blank> or Confirmation
Message:
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.

To see details please click this link

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.

Thank you for using PayPal.</i></p>

where "homepage" or "link" is a hyperlink that links to a file index.htm hosted by a remote machine from which the email was sent. For example, the hyperlink can be http://<the IP address of an infected machine>:1639/index.htm. By visiting the link, the worm file is downloaded and run locally.

The mail may also contain one of the following,
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)

The worm terminates, if executed on or after December 16th, 2004.