Since Monday 8 November, Sophos has seen an increase in activity by the Bofra family of worms (mistakenly identitifed as versions of the MyDoom worm by some anti-virus vendors) which use both email and a recently discovered Microsoft security vulnerability to spread.
Sophos has produced the following explanation of how the Bofra worm spreads from computer to computer:
1. An uninfected computer receives an email from a computer which is already infected by one of the Bofra worms. The email may contain a message alluding to an adult webcam, a PayPal credit card message, or other content.
2. The user of the uninfected computer, opens the email and clicks on the link contained within. This takes the web browser to a web server running on the sender's computer.
3. The web server running on the sender's computer contains malicious code, which exploits the Microsoft Internet Explorer IFRAME vulnerability and infects the visiting PC with the Bofra worm. The worm creates a web server on the newly infected computer, scours the PC for email addresses, and sends more email messages to other internet users in the hope of infecting others.
Computer users who receive these emails and click on the links will be sent to the web server on the newly infected computer.
Sophos protects against the Bofra worms
Sophos issued protection against the W32/Bofra-A worm at 15:29 GMT on 8 November 2004. Customers using Enterprise Manager or the Sophos small business solutions were automatically protected at their next scheduled update. Customers using these products received protection against the W32/Bofra-B and W32/Bofra-C variants of the worm from 8:22 GMT on 9 November 2004.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.
More information about the vulnerability can be found on CERT's website. The vulnerability does not appear to be present in computers running Microsoft Windows XP with Service Pack 2.
Is it or isn't it MyDoom?
Some anti-virus vendors have issued protection against the Bofra worms, calling them variants of the MyDoom worm. However, experts at Sophos have determined that Bofra is not a member of the MyDoom worm family.
"Detailed analysis of the Bofra worms reveals that the similarities they have with the MyDoom family of worms are outweighed by the differences," said Graham Cluley, senior technology consultant for Sophos. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm which relied upon email attachments."
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.