Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags.
The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected.
The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004.
The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following:
- funny photos :)
hello
hey!
blank
random characters
The Message Body varies and may be either of the following:
- FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos
The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target).
The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.
A second variant of the worm masquerades as a PayPal notice, claiming that PayPal has charged $175 to your account and providing a link to find 'details'. Of course, clicking the link infects the recipient's computer.