Threat behavior
When Win32/Bofra runs, it deletes values from the registry that may cause certain other malicious software to run automatically each time Windows starts. The worm then terminates immediately if the system time is after December 15, 2004, 02:28:57. Otherwise, the worm proceeds as follows.
If the worm process was not started from the current user’s temporary directory or the Windows system directory, the worm creates a copy of itself in the Windows system directory. If that fails, the worm attempts to copy itself to the user’s temporary directory. The worm copy is named <random>32.exe. The worm creates a value that contains this file name in one of the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The new value in the registry causes the worm to run automatically each time Windows starts.
If the infected computer is running a Windows NT-based operating system, the worm opens the explorer.exe process or the process that owns the foreground window. The worm copies itself into the memory of the process and starts a new thread in the process. The worm then terminates. If the operating system is not NT-based, the worm registers itself as a service so that the worm process does not appear in Task Manager.
The original worm process or injected process then performs the following operations:
-
Creates a Web server on TCP port 1639. The worm sends a copy of itself to any user who connects to this server and requests a URL containing the string "reactor".
-
Sends e-mail to variations of e-mail addresses that the worm finds on the infected computer. The e-mail body contains a link to the Web server. Some variants of Win32/Bofra send a link that does not include the string "reactor".
-
Connects to an IRC server from the infected computer to receive commands from attackers, who can then take control of the computer.
Prevention