W32/Bofra-G

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor9

HKLM\
Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\
Version

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\
[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor9

HKCU\
Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\
Version

and remove any reference to any file you deleted.

Close the registry editor.

W32/Bofra-G is a mass-mailing worm for the Windows platform.

W32/Bofra-G will use its own SMTP engine to send emails to harvested addresses, enticing the recipient to click on a hyperlink.

The email has the following characteristics:

FROM: This field will be spoofed as either one address harvested from the infected computer or three to five random characters followed by one of the following domains:

@aol.com
@msn.com
@yahoo.com
@hotmail.com

SUBJECT: This field will either be blank or one entry from the following list with either all the characters capitalised or no extra capitalisation:

Hi!
Hey!
Confirmation

BODY: This field will be one the following entries, with varying colour and text formatting:

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
Hello!

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0 and your item will be shipped within three business days. To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal. W32/Bofra-G is a mass-mailing worm for the Windows platform.

W32/Bofra-G tries to copy itself either to the Windows system folder or to the Temp folder, copying itself to a filename comprising of between two and eight random characters followed by 32.EXE (eg EOFJNF32.EXE).

W32/Bofra-G then creates an entry in the registry at one of the following locations so as to be run on system startup:

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor9

HKCU\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor9

W32/Bofra-G may create the following registry entries:

HKLM\
Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\
Version

HKCU\
Software\Microsoft\Windows\CurrentVersion\Explorer\ComExplore\
Version

W32/Bofra-G attempts to harvest email addresses from the Outlook address book and from files with the following extensions:

TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB

W32/Bofra-G wil not harvest addresses containing the following strings:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, tanford.e, utgers.ed, mozilla

W32/Bofra-G will sometimes harvest the domain name of an address found on the infected computer but uses one of the following usernames (i.e. if it finds the address a@hotmail.com on the computer, it may use john@hotmail.com):

john, john, alex, michael, james, mike, kevin, david, george, sam, andrew, jose, leo, maria, jim, brian, serg, mary, ray, tom, peter, robert, bob, jane, joe, dan, dave, matt, steve, smith, stan, bill, bob, jack, fred, ted, adam, brent, alice, anna, brenda, claudia, debby, helen, jerry, jimmy, julie, linda, sandra

W32/Bofra-G will use its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-G from the infected machine, saving the infected file to the Desktop with the filename VV.DAT. The download will take place without any notification from Windows.

In order to allow this download to take place the infected machine listens on ports higher than 1639 for download requests.

The email distributed by W32/Bofra-G creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:

FROM: This field will be spoofed as either one address harvested from the infected computer or three to five random characters followed by one of the following domains:

@aol.com
@msn.com
@yahoo.com
@hotmail.com

SUBJECT: This field will either be blank or one entry from the following list with either all the characters capitalised or no extra capitalisation:

Hi!
Hey!
Confirmation

BODY: This field will be one the following entries, with varying colour and text formatting:

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
Hello!

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0 and your item will be shipped within three business days. To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.

W32/Bofra-G will create the email header in such a way that it appears to have been sent from one of the following versions of Microsoft Outlook Express:

6.00.2800.1081
5.50.4133.2400
6.00.2600.0000
6.00.2800.1158

W32/Bofra-G also adds one of the following lines to the email header:

Checked by Dr.Web (http://www.drweb.net)
Checked for viruses by Gordano's AntiVirus Software
scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)

W32/Bofra-G also contains IRC backdoor Trojan functionality and may connect to an IRC server on port 6667 and, according to instructions it receives, may send information about the infected computer or download and execute files from remote websites to the Windows system folder with with random six-character filenames.

W32/Bofra-G attempts to delete the following registry entries to prevent other variants of the Bofra worm from running on system startup:

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
center

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
reactor

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Rhino

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor7

HKLM\
Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

W32/Bofra-G attempts to inject itself into Explorer in order to make it more difficult to be removed.

W32/Bofra-G will not run on dates past 15 December.