Thu Nov 11, 2004 12:45 am
Worm lures users into online booby trap
Link
A computer worm that turns desktop PCs into malicious web servers has begun infecting computers around the world, experts warn.
The Bofra worm, which comes in two variations known as Bofra-A and Bofra-B, spreads by exploiting a software bug discovered in Microsoft's Internet Explorer web browser on 2 November.
This bug affects the way Explorer interprets web page tags – the underlying code that defines parts of a web page - and can be used to run unauthorised code on machines using the Windows operating system.
Microsoft has not yet released a software fix for the problem, although computers running its latest software package - Service Pack 2, which includes various security enhancements - should be immune. Computers with firewalls installed and switched on may also prevent the worms from spreading by blocking their communications.
The worms install a miniature web server on infected computers and generate web pages containing the unauthorised code. The worms then automatically send emails to everyone in the email address book of an infected computer in an attempt to get them to visit the pages.
Early versions of the worm promise pornographic material via a link, but later incarnations pose as a notification for a PayPal charge, with a link that can be used to cancel it. If the recipient hits the link and visits the page using Explorer, their computer may become infected too.
"This worm feeds on people's habit of accepting titillating content into their work inbox," says Graham Cluley of UK antivirus firm Sophos. "But they could be risking clogging up their company's email system."
Analysis by another antivirus company suggests the worms could be used to control a computer remotely. Several other worms have been used in this way to send email spam.
"It also has backdoor capabilities," reads an alert issued by US firm Trend Micro. "It listens for commands from a remote host.”
As the two worms bear several structural similarities to variants of another worm known as MyDoom, some antivirus companies refer to them as W32/MyDoom.AG, and W32/MyDoom.AH or W32/MyDoom.AI.
But Cluley says the new programs are different enough to justify a new name. "The similarities they have with the MyDoom family of worms are outweighed by the differences," he says. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm, which relied upon email attachments."
A computer worm that turns desktop PCs into malicious web servers has begun infecting computers around the world, experts warn.
The Bofra worm, which comes in two variations known as Bofra-A and Bofra-B, spreads by exploiting a software bug discovered in Microsoft's Internet Explorer web browser on 2 November.
This bug affects the way Explorer interprets web page tags – the underlying code that defines parts of a web page - and can be used to run unauthorised code on machines using the Windows operating system.
Microsoft has not yet released a software fix for the problem, although computers running its latest software package - Service Pack 2, which includes various security enhancements - should be immune. Computers with firewalls installed and switched on may also prevent the worms from spreading by blocking their communications.
The worms install a miniature web server on infected computers and generate web pages containing the unauthorised code. The worms then automatically send emails to everyone in the email address book of an infected computer in an attempt to get them to visit the pages.
Early versions of the worm promise pornographic material via a link, but later incarnations pose as a notification for a PayPal charge, with a link that can be used to cancel it. If the recipient hits the link and visits the page using Explorer, their computer may become infected too.
"This worm feeds on people's habit of accepting titillating content into their work inbox," says Graham Cluley of UK antivirus firm Sophos. "But they could be risking clogging up their company's email system."
Analysis by another antivirus company suggests the worms could be used to control a computer remotely. Several other worms have been used in this way to send email spam.
"It also has backdoor capabilities," reads an alert issued by US firm Trend Micro. "It listens for commands from a remote host.”
As the two worms bear several structural similarities to variants of another worm known as MyDoom, some antivirus companies refer to them as W32/MyDoom.AG, and W32/MyDoom.AH or W32/MyDoom.AI.
But Cluley says the new programs are different enough to justify a new name. "The similarities they have with the MyDoom family of worms are outweighed by the differences," he says. "For one thing, the Bofra worms spread between users in an entirely different way from the MyDoom worm, which relied upon email attachments."
