16th November 2004 - We have reports of a worm called Bofra which is in the wild, i.e., reported to be infecting a good number of computers. Bofra, also known as Mydoom.ah/ag, makes use of an unpatched buffer overflow in Internet Explorer and does not require the user to run any executable. The worm sends a link by email and when the user accesses the website using Microsoft Internet Explorer, the buffer overflow is triggered which in turn installs a the rest of the worm.
Subject line:
Can be one of the following:
Hello!
Hey!
Hi!
Confirmation
Message Body:
Can be one of the following:
1.
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be shipped
within three business days.
To see details please click this link
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.
Thank you for using PayPal.
2.
Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
3.
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
The worm sends a link by email and when the recipient accesses this link using Microsoft Internet Explorer, a buffer overflow is triggered which in turn installs the rest of the worm.
Bofra does not include a copy of itself in infected messages. Instead, it sends intended victims an email containing a link to an infected file. The infected file is located on the computer which generated the infected message in the first place, and it is automatically called if the Internet Explorer vulnerability is exploited. This causes a buffer overflow and the infected file is launched automatically.
The worm starts up a webserver and also contains a backdoor, which connects to IRC servers.
Avoidance Action:
Make sure your virus definition files are up-to-date. Make sure that the email client computers have SP2 - there is no specific Microsoft patch which addresses the Iframe buffer overflow at the time of writing. However, computers running XP SP2 were not found to be vulnerable.
GFI MailSecurity blocks the email message body which contains a link to the infected website. GFI DownloadSecurity blocks the payload code (reactor) when it starts being downloaded.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/Virus/Virus_descriptions/18529/en-us
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=309
http://vil.nai.com/vil/content/v_129631.htm
http://www.viruslist.com/en/viruses/encyclopedia?virusid=65410
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, and Adelaide which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
