 |
| Users who click on links inside emails sent by
the worm, may be putting themselves at risk of infection. |
Users who think they are clicking on an adult webcam link may
catch a nasty infection
Updated 9 November 2004
Experts at Sophos have warned users to be wary of unsolicited
emails which attempt to lure users into clicking on a link, but
which really enable a malicious family of worms to infect their
Windows computers.
Sophos is reporting many sightings of emails designed to fool
users into being infected by the W32/Bofra family of worms
(mistakenly called W32/Mydoom.AG, W32/Mydoom.AH, or W32/Mydoom.AI
by some anti-virus vendors).
Emails sent by the W32/Bofra-A worm use a variety of different
subject lines and message bodies, including:
Subject lines:Hellofunny photos :)Message bodies:
Look at my homepage with my last webcam photos!
FREE ADULT VIDEO! SIGN UP NOW!
Emails sent by W32/Bofra-B have the following
characteristics:
Subject line:ConfirmationMessage body:
Congratulations! PayPal has successfully charged $175 to your
credit card. Your order tracking number is A866DEC0, and your item
will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being
sent by an automated message system and the reply will not be
received. Thank you for using PayPal.
The emails often purport to link to websites containing adult
content. If users open the emails, and then click on the links they
may find their computers are compromised. Clicking on the link
takes the user to a web server running on a previously infected
computer, which exploits the recently discovered IFRAME
vulnerability in Microsoft Internet Explorer, and initiates the
launching of the worm on the visiting computer. The worm then
harvests email addresses from the infected PC and forwards further
emails with the intention of spreading the virus further.
"Companies should educate their users to practise safe computing - that includes never
clicking on links contained inside unsolicited emails and
discouraging the sending and receiving of joke emails and
pornographic content," said Graham Cluley, senior
technology consultant for Sophos. "This worm feeds on people's
habit of blindly clicking on links in their email without realising
the risks they may be taking."
Sophos protects against the Bofra worms
Sophos issued protection against the W32/Bofra-A worm at 15:29
GMT on 8 November 2004. Customers using Enterprise Manager or the Sophos small business solutions
were automatically protected at their next scheduled update.
Customers using these products received protection against the
W32/Bofra-B and
W32/Bofra-C
variants of the worm from 8:22 GMT on 9 November 2004.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam
threats as well as secure their desktop and servers with
automatically updated anti-virus protection.
More information about the vulnerability can be found on
CERT's website. The vulnerability does not appear to
be present in computers running Microsoft Windows XP with Service
Pack 2.
Is it or isn't it MyDoom?
Some anti-virus vendors have issued protection against the Bofra
worms, calling them variants of the MyDoom worm. However, experts
at Sophos have determined that Bofra is not a member of the MyDoom
worm family.
"Detailed analysis of the Bofra worms reveals that the
similarities they have with the MyDoom family of worms are
outweighed by the differences," said Cluley. "For one thing, the
Bofra worms spread between users in an entirely different way from
the MyDoom worm which relied upon email attachments."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.