Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bofra.B@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Sets up a webserver and attempts to connect to IRC servers
Detection files published 10 Nov 2004 03:00:00
Description created 09 Nov 2004 04:06:00
Description updated 09 Nov 2004 04:06:00
Malware type WORM
Alias W32/Mydoom.ah@MM
I-Worm/Mydoom.AC
I-Worm.Mydoom.ad
W32.Mydoom.AH@mm
W32/Bofra-B
Spreading mechanism EMAIL
UNKNOWN
Summary None

W32/Bofra.B@mm

Spreading

The worm does not come as an attachment. Instead the mails received contain a link to a malformed HTML page residing on another infected system. If the user clicks on this link a buffer overflow exploit will occur in Internet Explorer, causing it to download and execute the worm.
When the worm is first run it will copy itself to the Windows System folder, using a random name that always ends with ''32" - f.ex. jaicbw32.exe. It will attempt to copy itself into the memory space of  the Windows Explorer process, thus be invisible in the process list. From here it will set up a web server and start its emailing routine.
The worm will make a number of changes to the registry:
Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\
   Explorer\ComExplore\Version".
Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\
   Explorer\ComExplore\Version".
Deletes value "center" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Deletes value "reactor" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Deletes value "Rhino" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Deletes value "Reactor3" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Deletes value "Reactor4" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Creates value "Reactor5"="C:\WINDOWS\SYSTEM\" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

Note: The deleted registry entries apparently belongs to previous versions of worms in this series

Payload Details

The worm sets up a small web server, listening on port 1639 on infected systems. In addition the worm attemts to log onto a number of IRC servers.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15