1. Computing

Bofra.A / MyDoom variant

Exploits SHDOCVW.DLL flaw

By

Updated November 12, 2004
Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos.

Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags.

The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected.

The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004.

The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following:

    funny photos :)
    hello
    hey!
    blank
    random characters

The Message Body varies and may be either of the following:

The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target).

The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.

A second variant of the worm masquerades as a PayPal notice, claiming that PayPal has charged $175 to your account and providing a link to find 'details'. Of course, clicking the link infects the recipient's computer.

  1. About.com
  2. Computing
  3. Antivirus Software
  4. Malware Information
  5. Bofra.A worm exploits SHDOCVW.DLL flaw

©2014 About.com. All rights reserved.