F-Secure Virus Descriptions : Bofra.B
[Summary] | [Detailed Description] | [Detection]
|
|
|
The Bofra.B worm appeared on November 9th, 2004. This worm
exploits an unpatched vulnerability in Internet Explorer's IFRAME
handling. Unlike regular mass-mailing worms, Bofra.B does not
send itself in the emails, only an HTTP link that points to the
host that sent the infected email.
As a payload Bofra.B has an IRC-controlled backdoor that allows
the creator to download and execute arbitrary programs on the
compromised host.
The worm's body is a Windows PE executable file compressed with
the MEW executable compressor. The unpacked body is around 42 KiB
and was most likely hand-coded in assembly.
System Infection
When the worm's file is run, it copies itself to Windows System
Folder with a random name ending in '32.exe' and creates a
startup key for this file in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Reactor5" = "%SystemDir%\<randomname>32.exe"
%SystemDir% represents the Windows System folder name, for
example C:\Windows\System32 on Windows XP systems.
Email Propagation
To gather email addresses Bofra.B searches the Windows Address
Book, files in Temporary Internet File and other files on the
hard disk that have the following strings in their name:
wab
pl
adb
tbb
dbx
asp
php
sht
htm
txt
Using its own SMTP engine Bofra.B sends emails to the collected
addresses. Sender of the mails is spoofed and the content is
randomly chosen from the following components:
Email subjects:
Confirmation
Hello!
Hey!
Hi!
Email bodies contain an HTML-formatted text with the link:
Congratulations! PayPal has successfully charged $175 to your credit card.
Your order tracking number is A866DEC0, and your item will be shipped
within three business days
To see details please click this <link>
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
an automated message system and the reply will not be received.
or
Hi! I am looking for new friends. I am from Miami, FL.
You can see my <homepage> with my last webcam photos!
or
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my <homepage> with my weblog and last webcam photos!
See you!
The email does not have any attachments. The worm only sends the
link which points to the infected host. The format of the link is
h**p://<infected host ip>:port/<file_to_dowload>
Bofra.B, running on the infected host, has a stripped-down web
servers listening on TCP ports starting from 1638 (0x666). The
only purpose of these is to serve the potential targets with the
HTML page that contains the exploit as well as the worm
executable that the exploit will download.
The way this propagation technique works in explained in our
weblog:
http://www.f-secure.com/weblog/archives/archive-112004%2ehtml#00000347
The emails sent by Bofra.B contain a fake virus scanner header
(X-AntiVirus:) that might get one of the following values:
scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
Checked for viruses by Gordano's AntiVirus Software
Checked by Dr.Web (http://www.drweb.net)
The worm avoids posting to e-mail addresses that contain certain
strings, among them:
accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
ca
feste
submit
not
help
service
privacy
somebody
no
soft
contact
site
rating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
Backdoor
As a payload Bofra.B has an IRC-controlled backdoor that allows
the creator to download and execute arbitrary programs on the
compromised host.
Detection for Bofra.B was published on November 9th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-11-09_01
Write-Up:
Mikko Hypponen, November 9th, 2004;
Technical Details:
Gergely Erdelyi, November 9th, 2004;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
