Racy photos an invite to infection The Bofra.A worm (a.k.a. MyDoom.AG, MyDoom.AH, or MyDoom.AI) exploits some users' penchants for porn and a flaw in Windows to set in motion an ever-moving target of malicious downloads Nov 9 2004 Exploits SHDOCVW.DLL flaw Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos. Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags. The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected. The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004. The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following: funny photos hello hey! blank random characters The Message Body varies and may be either of the following: FREE ADULT VIDEO! SIGN UP NOW! Look at my homepage with my last webcam photos The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target). The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.
TeeHee .. that's interesting .. See Also my thread: Latest Mydoom Variants. So far only Sophos is the only one I've found calling it "Bofra", the rest {ESET, TrendMicro, Symantec, VSAntivirus, F-Secure, Kaspersky, Norman, McAfee, etc.} are calling it some variant of Mydoom. And "Beagle" is only one letter removed from "Bagle" so ... TeeHee .. "a malware Rose by any other Name would stink as badly" .. hehe .. Take Care, Ran
Correction, it now appears that some vendors agree and have renamed recent Mydoom variants to the "Bofra" family of worms. As Norman states: "This family has now been renamed to Bofra, after deciding that these worms are too different from the Mydoom family to belong there." From: W32/Bofra.B@mm http://www.norman.com/Virus/Virus_descriptions/18529/ TrendMicro has made the name change also.
TrendMicro: WORM_MYDOOM.AG This worm virus has been renamed to WORM_BOFRA.C. TrendMicro: WORM_MYDOOM.AH This worm virus has been renamed to WORM_BOFRA.B.
Symantec also names them Bofra. http://securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html
I block all advertisement sites in my firefox browser. Most banner ads are just plain annoying and sickening to me. With banner ads serving up viruses, I think its best not to visit websites that contain advertisements.
This exploit and the fact that it is being used by a couple of worms in the wild has been known for some time. Of course this raises questions as to why it is taking MS so long to fix it. IE in SP2 has a buffer overrun protection feature that prevents infection for SP2 users. If it is possible that MS is tracking its feet on a fix for non SP2 users in order to encourage upgrading to XP SP2, this can be counter productive because all users need to do is stop using IE and they will not be affected. http://www.theregister.co.uk/2004/11/21/register_adserver_attack/ Bofra/IFrame is a currently unpatched exploit which affects Internet Explorer 6.0 on all Windows platforms bar Windows XP SP2. If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.