W32.Bofra.B@mm

Printer Friendly Page

Discovered: November 10, 2004
Updated: November 10, 2004 11:15:22 PM
Systems Affected: Windows

W32.Bofra.B@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending a link via email to addresses that it finds on an infected computer.

Discovered: November 10, 2004
Updated: November 10, 2004 11:15:22 PM
Systems Affected: Windows

W32.Bofra.B@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending a link via email to addresses that it finds on an infected computer.

When the worm is executed, it creates the following file:
%System%\[randomname]32.exe

The worm tries to delete the following registry keys, created by previous variants of W32.Bofra@mm:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"center"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"reactor"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Rhino"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor6"

The worm also creates the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor7" = "%System%\[randomname]32.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor7" = "%System%\[randomname]32.exe"

The worm also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version

Next, the worm sends a mass-mailing to email addresses it finds on the compromised system. The worm searches for email addresses in the Windows address book and in files with the following strings in their name:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab

The worm will avoid sending emails to addresses containing the following strings:

accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
.gov
help
hotmail
iana
ibm.com
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
.mil
math
me
mit.e
mozilla
msn
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

Addresses whose names begin with one of the following:
abuse
anyone
bugs
ca
contact
feste
gold-certs
help
info
me
no
nobody
noone
not
nothing
page
postmaster
privacy
rating
root
samples
secur
service
site
soft
somebody
someone
spm
submit
the.bat
webmaster
www
you
your

The email will have the following details:
From: (Spoofed)

Subject: (one of the following):
hello!
hey!
blank
random characters
Confirmation
Hi!

Message body: (varies, some examples included below)

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!

Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.
Thank you for using PayPal.

Mail header: (may contain one of the following fields(
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

The worm then sends the link that points to the infected host as follows: http://<the IP address of an infected machine>:1640/reactor

The worm opens TCP port 1640 for listening.

The worm attempts to connect to the following IRC servers on TCP port 6667:
broadway.ny.us.dal.net
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
ced.dal.net
coins.dal.net
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
ozbytes.dal.net
qis.md.us.dal.net
vancouver.dal.net
viking.dal.net
washington.dc.us.undernet.org