In this section

• Home
• Press office
• News archive
• Articles
• 2004
• 11

• Journalists' guide
• News archive

Talk to our experts

• Press contacts

Resources

• Sophos Podcasts
• SophosLabs blog
• Image gallery
• Customer case studies
• Free anti-virus
• White papers
• Awards and reviews
• Industry affiliations

Info feeds

• Security news
• Company news

• Security news
• Company news

What are info feeds?

9 November 2004

Bofra-B worm poses as PayPal purchase, Sophos reports on virus exploiting unpatched Microsoft vulnerability

Anti-virus experts at Sophos have warned users to be wary of unsolicited emails appearing to come from PayPal, as they may be luring the unwary into being infected by the W32/Bofra-B worm.

The Bofra-B worm sends emails pretending to be notification from PayPal of a $175 credit card purchase. Recipients are advised to click on a link to see details of the bogus purchase. If users click on the link they are taken to a webserver running on a previously infected computer, which exploits a serious security vulnerability in Microsoft Internet Explorer.

"Clicking on the link on an unprotected computer initiates the virus attack," said Graham Cluley, senior technology consultant for Sophos. "This serious hole was only found in Microsoft Internet Explorer last week and there is no patch yet available. This is one of the fastest turnarounds of vulnerability discovery to full-blown worm that we have ever seen."

"People will naturally be worried that someone has charged their credit card for a purchase they have never made, and will click on the link to get more information," continued Cluley. "That is precisely what the worm's author is banking on. Everyone should ensure they are running the very latest anti-virus protection and have properly secured their computers from viral attack."

Emails sent by W32/Bofra-B can have the following characteristics:

From:
exchange-robot@paypal.com

Subject line:
Confirmation




Message body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

The HTML email can also have a non-white background colour:

More information about the vulnerability can be found on CERT's website. The vulnerability does not appear to be present in computers running Microsoft Windows XP with Service Pack 2.

• View a diagram showing how the Bofra worms spread

Is it or isn't it MyDoom?

Some anti-virus vendors have issued protection against the Bofra worms, calling them variants of the MyDoom worm. However, experts at Sophos have determined that Bofra is not a member of the MyDoom worm family.

"Detailed analysis of the Bofra worms reveals that the similarities they have with the MyDoom family of worms are outweighed by the differences," said Cluley. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm which relied upon email attachments."

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot

See also:

• Add live virus information to your website or intranet
• Sign-up now for free notification of new viruses found in the wild
• Bofra worms spread via unpatched Internet Explorer security hole