Anti-virus experts at Sophos have warned users to be wary of
unsolicited emails appearing to come from PayPal, as they may be
luring the unwary into being infected by the W32/Bofra-B worm.
The Bofra-B worm sends emails pretending to be notification from
PayPal of a $175 credit card purchase. Recipients are advised to
click on a link to see details of the bogus purchase. If users
click on the link they are taken to a webserver running on a
previously infected computer, which exploits a serious security
vulnerability in Microsoft Internet Explorer.
"Clicking on the link on an unprotected computer initiates the
virus attack," said Graham Cluley, senior technology consultant for
Sophos. "This serious hole was only found in Microsoft Internet
Explorer last week and there is no patch yet available. This is one
of the fastest turnarounds of vulnerability discovery to full-blown
worm that we have ever seen."
"People will naturally be worried that someone has charged their
credit card for a purchase they have never made, and will click on
the link to get more information," continued Cluley. "That is
precisely what the worm's author is banking on. Everyone should
ensure they are running the very latest anti-virus protection and
have properly secured their computers from viral attack."
Emails sent by W32/Bofra-B can have the following
characteristics:
From:
exchange-robot@paypal.com
Subject line:
Confirmation
Message body:
Congratulations! PayPal has successfully charged $175 to your
credit card. Your order tracking number is A866DEC0, and your item
will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being
sent by an automated message system and the reply will not be
received. Thank you for using PayPal.
The HTML email can also have a non-white background colour:
More information about the vulnerability can be found on
CERT's website. The vulnerability does not appear to
be present in computers running Microsoft Windows XP with Service
Pack 2.
Is it or isn't it MyDoom?
Some anti-virus vendors have issued protection against the Bofra
worms, calling them variants of the MyDoom worm. However, experts
at Sophos have determined that Bofra is not a member of the MyDoom
worm family.
"Detailed analysis of the Bofra worms reveals that the
similarities they have with the MyDoom family of worms are
outweighed by the differences," said Cluley. "For one thing, the
Bofra worms spread between users in an entirely different way from
the MyDoom worm which relied upon email attachments."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.