Email-Worm.Win32.Bofra.a

Technical Details

This worm spreads via the Internet in the form of infected emails without an attachment. It utilizes a vulnerability in Internet Explorer to spread. The Security Focus site provides a description of the vulnerability.

Bofra does not include a copy of itself in infected messages. Rather, it includes a link to an infected file which is located on the computer which generated the infected message. The infected file will automatically be called if the Internet Explorer vulnerability is exploited. This causes a buffer overflow and the infected file will automatically be launched.

Infected messages are sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 21KB in size, packed using MEW. The unpacked file is approximately 135KB in size.

The worm contains a backdoor, which receives commands via IRC channels.

Installation

Once launched, the worm copies itself under a random name, which always ends in 32.exe to the Windows system directory.

for example

C:\WINDOWS\SYSTEM32\kfilaxm32.exe

It then registers this file in the system registry; this ensures the worm will be launched each time the system is rebooted:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Rhino" = "%System%\<ëþáîé íàáîð ñèìâîëîâ>32.exe"

Propagation via email

The worm scans MS Windows address books for email addresses, and all files with the following extensions:

adbh
aspd
dbxn
htmb
phpq
pl
shtl
tbbg
txt
wab

Messages are not send to addresses containing the following text strings:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail

iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp

postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

The worm establishes a direct connection to the recipient's SMTP server in order to send messages.

Infected messages

Sender's address:

The sender's name includes one of the names listed below:

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred

george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria

mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

The sender's domain will be either chosen at random from the domains in email addresses harvested from the victim machine, or a domain will be chosen from the list below:

aol.com
hotmail.com
msn.com
yahoo.com

Message subject (chosen from the list below)

funny photos :)
hello
hey!

Message body (chosen from the list below)

FREE ADULT VIDEO! SIGN UP NOW!

Look at my homepage with my last webcam photos!

Attachment

Infected messages do not have any attachment. The worm simply sends a link to the victim machine which generated the infected message. The link will be in the following form:

http://<IP-address of victim machine>:<port number>/<file name>

The worm opens a TCP port on the victim computer. The port will be number 1639 or higher. This enables the worm to download files.

Message signature (chosen from the list below)

Checked by Dr.Web (http://www.drweb.net)
Checked for viruses by Gordano's AntiVirus Software
scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)

Remote administration

The worm opens TCP port 6667 on the victim machine in order to receive commands via IRC channels.