Security news
Security news8 November 2004
Bofra worms spread via unpatched Internet Explorer security hole, Sophos reports
 |
| Users who click on links inside emails sent by the worm, may be putting themselves at risk of infection. |
Users who think they are clicking on an adult webcam link may catch a nasty infection
Updated 9 November 2004
Experts at Sophos have warned users to be wary of unsolicited emails which attempt to lure users into clicking on a link, but which really enable a malicious family of worms to infect their Windows computers.
Sophos is reporting many sightings of emails designed to fool users into being infected by the W32/Bofra family of worms (mistakenly called W32/Mydoom.AG, W32/Mydoom.AH, or W32/Mydoom.AI by some anti-virus vendors).
Emails sent by the W32/Bofra-A worm use a variety of different subject lines and message bodies, including:
-
Subject lines:
Hello
funny photos :)
Message bodies:
Look at my homepage with my last webcam photos!
FREE ADULT VIDEO! SIGN UP NOW!
Emails sent by W32/Bofra-B have the following characteristics:
-
Subject line:
Confirmation
Message body:
Congratulations! PayPal has successfully charged $175 to your credit card.
Your order tracking number is A866DEC0, and your item will be shipped
within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.
The emails often purport to link to websites containing adult content. If users open the emails, and then click on the links they may find their computers are compromised. Clicking on the link takes the user to a web server running on a previously infected computer, which exploits the recently discovered IFRAME vulnerability in Microsoft Internet Explorer, and initiates the launching of the worm on the visiting computer. The worm then harvests email addresses from the infected PC and forwards further emails with the intention of spreading the virus further.
"Companies should educate their users to practise safe computing - that includes never clicking on links contained inside unsolicited emails and discouraging the sending and receiving of joke emails and pornographic content," said Graham Cluley, senior technology consultant for Sophos. "This worm feeds on people's habit of blindly clicking on links in their email without realising the risks they may be taking."
Sophos protects against the Bofra worms
Sophos issued protection against the W32/Bofra-A worm at 15:29 GMT on 8 November 2004. Customers using Enterprise Manager or the Sophos small business solutions were automatically protected at their next scheduled update. Customers using these products received protection against the W32/Bofra-B and W32/Bofra-C variants of the worm from 8:22 GMT on 9 November 2004.
Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.
More information about the vulnerability can be found on CERT's website. The vulnerability does not appear to be present in computers running Microsoft Windows XP with Service Pack 2.
Is it or isn't it MyDoom?
Some anti-virus vendors have issued protection against the Bofra worms, calling them variants of the MyDoom worm. However, experts at Sophos have determined that Bofra is not a member of the MyDoom worm family.
"Detailed analysis of the Bofra worms reveals that the similarities they have with the MyDoom family of worms are outweighed by the differences," said Cluley. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm which relied upon email attachments."
