W32/Bofra-D

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Reactor8

and remove any reference to any file you deleted.

Close the registry editor.

W32/Bofra-D is a mass-mailing worm for the Windows platform.

W32/Bofra-D harvests email addresses from files on the infected computer.

W32/Bofra-D uses its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-D from the infected machine. The download will take place without any notification from Windows.

The email distributed by W32/Bofra-D has the following characteristics:

From field: An address found on the infected computer, or one constructed randomly from strings within the worm such as:

exchange-robot@paypal.com
palux@yahoo.com

Subject line: Blank or one of the following:

Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION

Message body:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! Hello!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

W32/Bofra-D also contains IRC backdoor functionality. W32/Bofra-D is a mass-mailing worm for the Windows platform.

W32/Bofra-D tries to copy itself either to the Windows system folder or to the Temp folder, copying itself to a filename comprising of between 3 and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). W32/Bofra-D then creates an entry in the registry at one of the following locations so as to be run when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

W32/Bofra-D attempts to harvest email addresses from the Outlook address book and from files with the following extensions:

TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB

W32/Bofra-D wil not harvest addresses containing the following strings:

.gov, .mil, accoun, acketst, admin, anyone, arin., avp, berkeley, borlan, bsd, bugs, ca, certific, contact, example, feste, fido, foo., fsf., gnu, gold-certs, google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux, listserv, math, me, mit.e, mozilla, msn., mydomai, no, nobody, nodomai, noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe., root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster, you, your

W32/Bofra-D uses its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-D from the infected machine. The download will take place without any notification from Windows. In order to allow this download to take place the infected machine listens on ports higher than 1639 for download requests.

The email distributed by W32/Bofra-D creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:

From field: An address found on the infected computer, or one constructed randomly from strings within the worm such as:

exchange-robot@paypal.com
palux@yahoo.com

Subject line: Blank or one of the following:

Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION

Message body:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! Hello!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

W32/Bofra-D also contains IRC backdoor functionality and may download and execute files from remote website to files with random filenames in the Windows system folder if instructed to do so.

W32/Bofra-D attempts to delete the following registry entries to prevent other variants of W32/Bofra running when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6