F-Secure Virus Descriptions : Bofra.C
[Summary] | [Detailed Description] | [Detection]
|
|
|
The Bofra.C worm appeared on November 9th, 2004. This worm
exploits an unpatched vulnerability in Internet Explorer's IFRAME
handling. Unlike regular mass-mailing worms, Bofra.C does not
send itself in the emails, only an HTTP link that points to the
host that sent the infected email.
As a payload Bofra.C has an IRC-controlled backdoor that allows
the creator to download and execute arbitrary programs on the
compromised host.
The worm's body is a Windows PE executable file compressed with
the MEW executable compressor. The unpacked body is around 42 KiB
and was most likely hand-coded in assembly.
System Infection
When the worm's file is run, it copies itself to Windows System
Folder with a random name ending in '32.exe' and creates a
startup key for this file in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Reactor3" = "%SystemDir%\<randomname>32.exe"
%SystemDir% represents the Windows System folder name, for
example C:\Windows\System32 on Windows XP systems.
Email Propagation
To gather email addresses Bofra.C searches the Windows Address
Book, files in Temporary Internet File and other files on the
hard disk that have the following strings in their name:
wab
pl
adb
tbb
dbx
asp
php
sht
htm
txt
Using its own SMTP engine Bofra.C sends emails to the collected
addresses. Sender of the mails is spoofed and the content is
randomly chosen from the following components:
Email subjects:
funny photos :)
hello
hey!
Email bodies contain an HTML-formatted text with the link:
FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos!
The email does not have any attachments. The worm only sends the
link which points to the infected host. The format of the link is
h**p://<infected host ip>:port/<file_to_dowload>
Bofra.C, running on the infected host, has a stripped-down web
servers listening on TCP ports starting from 1638 (0x666). The
only purpose of these is to serve the potential targets with the
HTML page that contains the exploit as well as the worm
executable that the exploit will download.
The way this propagation technique works in explained in our
weblog:
http://www.f-secure.com/weblog/archives/archive-112004%2ehtml#00000347
The emails sent by Bofra.C contain a fake virus scanner header
(X-AntiVirus:) that might get one of the following values:
scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
Checked for viruses by Gordano's AntiVirus Software
Checked by Dr.Web (http://www.drweb.net)
The worm avoids posting to e-mail addresses that contain certain
strings, among them:
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
Backdoor
As a payload Bofra.C has an IRC-controlled backdoor that allows
the creator to download and execute arbitrary programs on the
compromised host.
Detection for Bofra.C was published on November 9th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-11-09_01
Write-Up:
Mikko Hypponen, November 9th, 2004;
Technical Details:
Gergely Erdelyi, November 9th, 2004;
F-Secure Corporation
|
