Press Releases

Browse our press release archive

09 Nov 2004

Bofra-B worm poses as PayPal purchase, Sophos reports on virus exploiting unpatched Microsoft vulnerability

Anti-virus experts at Sophos have warned users to be wary of unsolicited emails appearing to come from PayPal, as they may be luring the unwary into being infected by the W32/Bofra-B worm.

The Bofra-B worm sends emails pretending to be notification from PayPal of a $175 credit card purchase. Recipients are advised to click on a link to see details of the bogus purchase. If users click on the link they are taken to a webserver running on a previously infected computer, which exploits a serious security vulnerability in Microsoft Internet Explorer.

"Clicking on the link on an unprotected computer initiates the virus attack," said Graham Cluley, senior technology consultant for Sophos. "This serious hole was only found in Microsoft Internet Explorer last week and there is no patch yet available. This is one of the fastest turnarounds of vulnerability discovery to full-blown worm that we have ever seen."

"People will naturally be worried that someone has charged their credit card for a purchase they have never made, and will click on the link to get more information," continued Cluley. "That is precisely what the worm's author is banking on. Everyone should ensure they are running the very latest anti-virus protection and have properly secured their computers from viral attack."

Emails sent by W32/Bofra-B can have the following characteristics:


Subject line:

An email inbox containing email sent by the W32/Bofra-B worm

Message body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

The HTML email can also have a non-white background colour:

An email sent by the W32/Bofra-B worm

More information about the vulnerability can be found on CERT's website. The vulnerability does not appear to be present in computers running Microsoft Windows XP with Service Pack 2.

Is it or isn't it MyDoom?

Some anti-virus vendors have issued protection against the Bofra worms, calling them variants of the MyDoom worm. However, experts at Sophos have determined that Bofra is not a member of the MyDoom worm family.

"Detailed analysis of the Bofra worms reveals that the similarities they have with the MyDoom family of worms are outweighed by the differences," said Cluley. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm which relied upon email attachments."

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at