W32.Bofra.E@mm

Printer Friendly Page

Discovered: November 12, 2004
Updated: November 12, 2004 9:48:22 PM
Systems Affected: Windows

W32.Bofra.E@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). The worm spreads by sending an email with a link to a malformed .html page to addresses that it finds on the infected computer.

Discovered: November 12, 2004
Updated: November 12, 2004 9:48:22 PM
Systems Affected: Windows

W32.Bofra.E@mm is a mass-mailing worm which exploits Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). The worm spreads by sending an email with a link to a malformed .html page to addresses that it finds on the infected computer.

When the worm runs, it creates the following file using random lower case letters as file name:
%System%\[randomname]32.exe

The worm creates one of the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor9" = "%System%\[randomname]32.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reactor9" = "%System%\[randomname]32.exe"

It also creates one of the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\Version

The worm deletes the following values from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that older versions of the worm won't run on the system:
center
reactor
Rhino
Reactor3
Reactor4
Reactor5
Reactor6
Reactor7
Reactor8

It attempts to inject its code as a thread into the processes with a window class name of "Shell_TrayWnd" or into the process running in the foreground.

If successful, this worm will continue to run within the infected process. All the actions described in the next step appear to be done by the infected process, and the worm will not show when viewing the process list in the Windows Task Manager.

If unsuccessful, the worm will continue to run as its own process.

The worm runs as a HTTP server on TCP port 1639:

When it gets a HTTP GET request that does not contain "reactor", it sends a shell code to the remote machine, which contains the IFRAME vulnerability (BID 11515). The remote machine will run the shell code to send a HTTP GET request that contains "reactor" in command.

When the worm gets a HTTP GET request that contains "reactor", it sends itself to the remote machine. The shell code running on the remote machine then executes the worm.

NOTE: The worm may use other TCP ports beside 1639.

The worm attempts to connect to the following IRC servers on TCP port 6667:
qis.md.us.dal.net
ced.dal.net
viking.dal.net
vancouver.dal.net
ozbytes.dal.net
broadway.ny.us.dal.net
coins.dal.net
lulea.se.eu.undernet.org
diemen.nl.eu.undernet.org
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org

The worm gathers email addresses from the Windows address book and from the files with the following extensions:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab

The worm avoids sending to email addresses which meet the following criteria:

Contains any of the following strings in the recipient domain:
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.

Addresses whose names begin with one of the following:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
spm
abuse
www
secur

Addresses whose names contain one of the following:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spam

Then it uses its own SMTP engine to send an email containing a link to a malformed .html page to the email addresses that it finds. The email has the following characteristics:

From: (Spoofed)
Attachment: There is no attachment in the email

Subject: is one of the following,
hi!
Hey!

Message:
Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam
photos!

See you!

Subject: <blank>
Messgae: Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

Subject: Confirmation
Message:
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.

To see details please click this link

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.

Thank you for using PayPal.</i></p>

where "homepage" or "link" is a hyperlink that links back to a remote machine from which the email was sent. For example, the hyperlink can be http://<the IP address of an infected machine>:1639/index.htm. By visiting the link, a HTTP Get request is sent to the remote machine, as the result the worm file is downloaded and run as vv.dat locally.

The mail may also contain one of the following,
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)

The worm terminates, if executed on or after December 16th, 2004.