Racy photos an invite to infection The Bofra.A worm (a.k.a. MyDoom.AG, MyDoom.AH, or MyDoom.AI) exploits some users' penchants for porn and a flaw in Windows to set in motion an ever-moving target of malicious downloads Nov 9 2004 Exploits SHDOCVW.DLL flaw Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos. Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags. The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected. The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004. The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following: funny photos hello hey! blank random characters The Message Body varies and may be either of the following: FREE ADULT VIDEO! SIGN UP NOW! Look at my homepage with my last webcam photos The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target). The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.