Discovered: November 09, 2004
Updated: November 09, 2004 5:59:07 PM
Systems Affected: Windows
W32.Bofra.D@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email addresses that it finds on an infected computer.
This is a mass-mailing worm that exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email addresses that it finds on an infected computer.
When the worm runs, it creates the following file using random lower case letters as file name:
The worm create one of the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5" = "%System%\[randomname]32.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5" = "%System%\[randomname]32.exe"
It also creates one of the following registry entries:
The worm deletes the following values:
from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It attempts to inject its code as a thread into the processes with a window class name of "Shell_TrayWnd" or into the process running in the foreground.
If successful, this worm will continue to run within the infected process. All the actions described in the next step will appear to be done by the infected process, and the worm will not show when viewing the process list in the Windows Task Manager.
If unsuccessful, the worm will continue to run as its own process.
The worm runs as a Web server on TCP port 1639. It hosts an index.htm file that exploits the IFRAME vulnerability (BID 11515). Viewing this file results in the remote machine downloading and runing the worm file.
NOTE: The worm may use other TCP ports beside 1639.
The worm attempts to connect to the following IRC servers on TCP port 6667:
The worm gathers email addresses from the Windows address book and from the files with the following extensions:
The worm avoids sending to email addresses which meet the following criteria:
Contains any of the following strings in the recipient domain:
Addresses whose names begin with one of the following:
Addresses which contain any of the following strings:
Then it uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
Attachment: There is no attachment in the email
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam
Messgae: Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
Subject: <blank> or Confirmation
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.
To see details please click this link
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.
Thank you for using PayPal.</i></p>
where "homepage" or "link" is a hyperlink that links to a file index.htm hosted by a remote machine from which the email was sent. For example, the hyperlink can be http://<the IP address of an infected machine>:1639/index.htm. By visiting the link, the worm file is downloaded and run locally.
The mail may also contain one of the following,
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
The worm terminates, if executed on or after December 16th, 2004.