W32/Bofra-H is a mass-mailing worm for the Windows platform.
W32/Bofra-H includes a backdoor, allowing a remote attacker to control the infected computer.
W32/Bofra-H spreads by exploiting an IFrame vulnerability in Internet Explorer.
W32/Bofra-H is a mass-mailing worm for the Windows platform.
W32/Bofra-H tries to copy itself either to the Windows system folder or to the Temp folder, copying itself to a filename comprising of between 3 and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). W32/Bofra-H then creates an entry in the registry at one of the following locations so as to be run when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor7
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor7
W32/Bofra-H attempts to harvest email addresses from the Outlook address book and from files with the following extensions:
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB
W32/Bofra-H wil not harvest addresses containing the following strings:
.gov, .mil, accoun, acketst, admin, anyone, arin., avp, berkeley, borlan, bsd, bugs, ca, certific, contact, example, feste, fido, foo., fsf., gnu, gold-certs, google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux, listserv, math, me, mit.e, mozilla, msn., mydomai, no, nobody, nodomai, noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe., root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster, you, your
W32/Bofra-H uses its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-H from the infected machine. The download will take place without any notification from Windows. In order to allow this download to take place the infected machine listens on ports higher than 1639 for download requests.
The email distributed by W32/Bofra-H creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:
From field: An address found on the infected computer, or one constructed randomly from strings within the worm such as:
exchange-robot@paypal.com
palux@yahoo.com
Subject line: Blank or one of the following:
Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION
Message body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! Hello!
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
W32/Bofra-H also contains IRC backdoor functionality and may download and execute files from remote websites to files with random filenames in the Windows system folder if instructed to do so.
The worm may inject itself into other processes in order to make itself more difficult to remove.
W32/Bofra-H attempts to delete the following registry entries to prevent other variants of W32/Bofra running when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6