W32.Bofra.A@mm

Printer Friendly Page

Discovered: November 08, 2004
Updated: November 09, 2004 6:00:03 PM
Systems Affected: Windows

W32.Bofra.A@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email addresses that it finds on an infected computer.

Discovered: November 08, 2004
Updated: November 09, 2004 6:00:03 PM
Systems Affected: Windows

W32.Bofra.A@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending email to addresses that it finds on an infected computer.

When the worm is executed, it creates the following file:
%System%\[randomname]32.exe

It creates a mutex called "FjroFvcpFzgkF0" to ensure that only one instance of the worm runs at any one time.

The worm also create the following registry entries so that it is executed every time Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor[random digit]" = "%System%\[randomname]32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor[random digit]" = "%System%\[randomname]32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version

The worm sends a mass-mailing to email addresses it finds on the compromised system. The worm searches for email addresses in the Windows address book and in files with the following strings in their name:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab


The worm will avoid sending emails to addresses containing the following strings:
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

Addresses whose names begin with one of the following:
abuse
anyone
bugs
ca
contact
feste
gold-certs
help
info
me
no
nobody
noone
not
nothing
page
postmaster
privacy
rating
root
samples
secur
service
site
soft
somebody
someone
spm
submit
the.bat
webmaster
www
you
your

Addresses which contain any of the following strings:
accoun
admin
bsd
certific
google
icrosoft
linux
listserv
ntivi
spam
support
unix

The email will have the following details:
From: (Spoofed)

Subject: (one of the following):
funny photos :)
hello
hey!
blank
random characters
confirmation
Hi!

Message body: (varies, some examples included below)
-Look at my homepage with my last webcam photos!

-FREE ADULT VIDEO! SIGN UP NOW!

Mail header: (may contain one of the following fields(
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

The email contains a hyperlink which directs the recipient to visit the system from which the email message was sent. The infected system serves as a web server which hosts an html page (http://[remote address]:1639/webcam.htm) that exploits the IFRAME vulnerability (BID 11515). Viewing this page results in the local machine downloading the file http://[remote address]:1639/reactor as %Desktop\vv.dat. This file is detected as W32.Bofra.D@mm. The file is then executed.

Attachment: There is no attachment.

The worm opens TCP port 1639 for listening.

The worm attempts to connect to the following IRC servers on TCP port 6667:
broadway.ny.us.dal.net
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
ced.dal.net
coins.dal.net
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
ozbytes.dal.net
qis.md.us.dal.net
vancouver.dal.net
viking.dal.net
washington.dc.us.undernet.org

The worm then attempts to delete the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\center
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\reactor
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rhino

The worm terminates, if executed on or after December 16th, 2004.