Educause Security Discussion mailing list archives
Bofra: "PayPal" and "WebCam" emails exploiting IE vuln
From: Phil Rodrigues <phil.rodrigues () NYU EDU>
Date: Mon, 8 Nov 2004 18:47:36 -0500
This is a very preliminary report with very sketchy information. NYU has seen a rapid spread of a hybrid email/browser virus, which may be what Sophos calls "Bofra". It can be characterized by two different emails, which I will summarize as: "Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.\n\n To see details please click this link." "Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! Hello!" Both contain links back to the IP address that sent the email, to tcp ports in the 1639 - 1640 range. On that port appears to be a webserver (of unknown type, with no banner) that will serve up the IE IFrame exploit to whomever browses to the page. The IFrame exploit can be seen in the source of the simple webpage: <IFRAME SRC=file://BBBBBBBBBBBBBB.... Mail me if you would like a copy of the webpage it serves up. I could not defang it quickly and did not want to email to to everyone. :-) I do not like this because it attacks a recent vulnerability we can not scan for easily across the network, the propagation mechanism is relatively unique, it contains no viral code we can easily block on the mail server, and a decent chunk of people seem to have fallen for it in a short amount of time. Phil Rodrigues Sr Network Security Analyst New York University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Phil Rodrigues (Nov 08)
- <Possible follow-ups>
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Huba Leidenfrost (Nov 08)
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Bob Smith (Nov 08)
- Re: Bofra: "PayPal" and "WebCam" emails exploiting IE vuln Peter Charbonneau (Nov 09)