Educause Security Discussion mailing list archives
Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln
From: Bob Smith <smithrj () LONGWOOD EDU>
Date: Mon, 8 Nov 2004 20:44:42 -0500
McAfee is reporting this as W32/Mydoom.ag@MM and it is here on campus. No DAT's will be available until 11/10/04 according to their web site. The first emails started around 5:44pm EST and are continuing. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Phil Rodrigues Sent: Monday, November 08, 2004 6:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Bofra: "PayPal" and "WebCam" emails exploiting IE vuln This is a very preliminary report with very sketchy information. NYU has seen a rapid spread of a hybrid email/browser virus, which may be what Sophos calls "Bofra". It can be characterized by two different emails, which I will summarize as: "Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.\n\n To see details please click this link." "Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! Hello!" Both contain links back to the IP address that sent the email, to tcp ports in the 1639 - 1640 range. On that port appears to be a webserver (of unknown type, with no banner) that will serve up the IE IFrame exploit to whomever browses to the page. The IFrame exploit can be seen in the source of the simple webpage: <IFRAME SRC=file://BBBBBBBBBBBBBB.... Mail me if you would like a copy of the webpage it serves up. I could not defang it quickly and did not want to email to to everyone. :-) I do not like this because it attacks a recent vulnerability we can not scan for easily across the network, the propagation mechanism is relatively unique, it contains no viral code we can easily block on the mail server, and a decent chunk of people seem to have fallen for it in a short amount of time. Phil Rodrigues Sr Network Security Analyst New York University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Phil Rodrigues (Nov 08)
- <Possible follow-ups>
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Huba Leidenfrost (Nov 08)
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Bob Smith (Nov 08)
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Peter Charbonneau (Nov 09)