Racy photos

Discussion in 'malware problems & news' started by Rita, Nov 10, 2004.

Thread Status:
Not open for further replies.
  1. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Racy photos an invite to infection
    The Bofra.A worm (a.k.a. MyDoom.AG, MyDoom.AH, or MyDoom.AI) exploits some users' penchants for porn and a flaw in Windows to set in motion an ever-moving target of malicious downloads




    Nov 9 2004

    Exploits SHDOCVW.DLL flaw
    Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos.
    Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags.

    The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems.




    Windows XP SP2 is not affected.
    The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004.

    The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following:

    funny photos :)
    hello
    hey!
    blank
    random characters
    The Message Body varies and may be either of the following:

    FREE ADULT VIDEO! SIGN UP NOW!
    Look at my homepage with my last webcam photos
    The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target).

    The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    TeeHee .. that's interesting .. ;)

    See Also my thread: Latest Mydoom Variants. So far only Sophos is the only one I've found calling it "Bofra", the rest {ESET, TrendMicro, Symantec, VSAntivirus, F-Secure, Kaspersky, Norman, McAfee, etc.} are calling it some variant of Mydoom.

    And "Beagle" is only one letter removed from "Bagle" so ... TeeHee .. "a malware Rose by any other Name would stink as badly" .. hehe ..

    Take Care, Ran
     
    Last edited: Nov 11, 2004
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Correction, it now appears that some vendors agree and have renamed recent Mydoom variants to the "Bofra" family of worms. As Norman states:

    "This family has now been renamed to Bofra, after deciding that these worms are too different from the Mydoom family to belong there."

    From: W32/Bofra.B@mm
    http://www.norman.com/Virus/Virus_descriptions/18529/

    TrendMicro has made the name change also. ;)
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
  5. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    Banner Ads Serving Up MyDoom
    This concerns the Bofra virus.
    internetnews
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I block all advertisement sites in my firefox browser. Most banner ads are just plain annoying and sickening to me. :mad:
    With banner ads serving up viruses, I think its best not to visit websites that contain advertisements.
     
    Last edited: Nov 23, 2004
  8. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    This exploit and the fact that it is being used by a couple of worms in the wild has been known for some time. Of course this raises questions as to why it is taking MS so long to fix it. IE in SP2 has a buffer overrun protection feature that prevents infection for SP2 users. If it is possible that MS is tracking its feet on a fix for non SP2 users in order to encourage upgrading to XP SP2, this can be counter productive because all users need to do is stop using IE and they will not be affected.


    http://www.theregister.co.uk/2004/11/21/register_adserver_attack/

    Bofra/IFrame is a currently unpatched exploit which affects Internet Explorer 6.0 on all Windows platforms bar Windows XP SP2. If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.
     
  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I agree 100%!


    -HandsOff
     
Thread Status:
Not open for further replies.