W32.Bofra.C@mm

Printer Friendly Page

Discovered: November 11, 2004
Updated: November 11, 2004 12:11:15 PM
Systems Affected: Windows

W32.Bofra.C@mm is a mass-mailing worm that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending a link via email to addresses that it finds on an infected computer.

Discovered: November 11, 2004
Updated: November 11, 2004 12:11:15 PM
Systems Affected: Windows

W32.Bofra.C@mm is a mass-mailing worm that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It spreads by sending a link via email to addresses that it finds on an infected computer.

When the worm is executed, it creates the following copy of itself:
%System%\[random name]32.exe

The worm creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor6" = "%System%\[random name]32.exe"

The worm also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version

The worm tries to delete the following registry keys, created by previous variants of the Bofra family:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"center"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"reactor"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Rhino"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor5"

Next, the worm injects code into the explorer.exe process and runs it.

The worm sends a mass-mailing to email addresses it finds on the compromised system. The worm searches for email addresses in the Windows address book and in files with the following strings in their name:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab

The worm will avoid sending emails to addresses containing the following strings:
.edu
.gov
.mil
acketst
arin.
avp
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
hotmail
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
msn.
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed

The worm also avoids sending emails to addresses whose names begin with one of the following:
abuse
accoun
admin
anyone
bugs
certific
contact
feste
gold-certs
help
icrosoft
info
listserv
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
webmaster
www
you
your

The email will have the following details:
From: (Spoofed)

Subject: (one of the following):
hello!
hey!
blank
random characters
Confirmation
Hi!

Message body: (varies, some examples included below)

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.
Thank you for using PayPal.

Mail header: (may contain one of the following fields)
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

The email includes the following URL that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515): http://[remote address]:1639/reactor

Note: [remote address] in the above URL is the IP address of the computer that sent the email.

The worm opens TCP port 1639 and 1640 for listening.

Next, the worm will open an ident daemon on TCP port 113 for IRC.

The worm attempts to connect to the following IRC servers on TCP port 6667:
2qis.md.us.dal.net
broadway.ny.us.dal.net
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
ced.dal.net
coins.dal.net
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
ozbytes.dal.net
vancouver.dal.net
viking.dal.net
washington.dc.us.undernet.org