| VID |
24082 |
| Severity |
40 |
| Port |
1639 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The host seems to have been infected with the W32.Bofra.Worm or one of its variants.
The Bofra worm (also known as MyDoom.AF-AH) is a mass-mailing worm that exploits the Microsoft Internet Explorer IFRAME Buffer Overflow Vulnerability. This worm propagate via email, however the emails generated do not contain any binary attachments. Instead, Bofra requires a user to click on a hyperlink which points to an infected machine with a web server. This server will provide a specially-crafted HTML page which exploits the IE IFRAME buffer overflow.
* References:
http://www.kb.cert.org/vuls/id/842160
http://securityresponse.symantec.com/avcenter/venc/data/w32.bofra.c@mm.html
http://xforce.iss.net/xforce/non_critical/Internet_Explorer_IFRAME_Exploitation.php
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove this Worm immediately. Most antivirus software companies have updates their software to keep W32.Bofra.Worm at bay, so you should download any available updates through its Live Update feature and remove the W32.Bofra.Worm using antivirus software.
-- AND --
You ensure that all patches for the Microsoft Windows are applied in order to minimize the threat of a system compromise. And enforce a password policy for all user accounts. |
| Related URL |
CVE-2004-1050 (CVE) |
| Related URL |
11515 (SecurityFocus) |
| Related URL |
17889 (ISS) |
|
