high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 9 November 2004 08:26:54 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Bofra-B
More Information
W32/Bofra-B is a worm for the Windows platform that arrives via email.
The email distributed by W32/Bofra-B creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)
SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation
BODY: This field will be one entry from the following list, and the colour and text formatting may vary
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Congratulations! PayPal has successfully charged $175 to your credit card.
Your order tracking number is A866DEC0 and your item will be shipped within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
W32/Bofra-B is a mass-mailing worm for the Windows platform.
W32/Bofra-B tries to copy itself either to the Windows system folder or to the Temp folder, copying itself to a filename comprising of between 2 and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). W32/Bofra-B then creates an entry in the registry at one of the following locations so as to be run on system startup:
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5
HKCU
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5
W32/Bofra-B attempts to harvest email addresses from the Outlook address book and from files with the following extensions:
TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB
W32/Bofra-B wil not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, tanford.e, utgers.ed, mozilla
W32/Bofra-B will use its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-B from the infected computer, saving the infected file to the Desktop with the filename VV.DAT. The download will take place without any notification from Windows. In order to allow this download to take place the infected machine listens on ports higher than 1639 for download requests.
The email distributed by W32/Bofra-B creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)
SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation
BODY: This field will be one entry from the following list, and the colour and text formatting may vary
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Congratulations! PayPal has successfully charged $175 to your credit card.
Your order tracking number is A866DEC0 and your item will be shipped within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
W32/Bofra-B also contains IRC backdoor Trojan functionality and may download and execute files from remote website to files with random filenames in the Windows system folder if instructed to do so.
W32/Bofra-B attempts to delete the following registry entries to prevent files created by other variants of the worm from running on system startup:
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
center
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
reactor
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Rhino
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor3
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor4
W32/Bofra-B attempts to inject itself into Explorer in order to make it more difficult to be removed.
W32/Bofra-B will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
|
