Since Monday 8 November, Sophos has seen an increase in activity
by the Bofra family of worms (mistakenly identitifed as versions of
the MyDoom worm by some anti-virus vendors) which use both email
and a recently discovered Microsoft security vulnerability to
spread.
Sophos has produced the following explanation of how the Bofra
worm spreads from computer to computer:
1. An uninfected computer receives an email from a
computer which is already infected by one of the Bofra worms. The
email may contain a message alluding to an adult webcam, a PayPal
credit card message, or other content.
2. The user of the uninfected computer, opens the email
and clicks on the link contained within. This takes the web browser
to a web server running on the sender's computer.
3. The web server running on the sender's computer
contains malicious code, which exploits the Microsoft Internet
Explorer IFRAME vulnerability and infects the visiting PC with the
Bofra worm. The worm creates a web server on the newly infected
computer, scours the PC for email addresses, and sends more email
messages to other internet users in the hope of infecting
others.
Computer users who receive these emails and click on the links will
be sent to the web server on the newly infected computer.
Sophos protects against the Bofra worms
Sophos issued protection against the W32/Bofra-A worm at 15:29
GMT on 8 November 2004. Customers using Enterprise Manager or the Sophos small business solutions
were automatically protected at their next scheduled update.
Customers using these products received protection against the
W32/Bofra-B and
W32/Bofra-C
variants of the worm from 8:22 GMT on 9 November 2004.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam
threats as well as secure their desktop and servers with
automatically updated anti-virus protection.
More information about the vulnerability can be found on
CERT's website. The vulnerability does not appear to
be present in computers running Microsoft Windows XP with Service
Pack 2.
Is it or isn't it MyDoom?
Some anti-virus vendors have issued protection against the Bofra
worms, calling them variants of the MyDoom worm. However, experts
at Sophos have determined that Bofra is not a member of the MyDoom
worm family.
"Detailed analysis of the Bofra worms reveals that the
similarities they have with the MyDoom family of worms are
outweighed by the differences," said Graham Cluley, senior
technology consultant for Sophos. "For one thing, the Bofra worms
spread between users in an entirely different way from the MyDoom
worm which relied upon email attachments."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.