W32/Bofra.B@mm

• Subject: Variable; f.ex. 'Hello!', 'Hey!' ,'Hi!' or 'Confirmation' in variable case
• Body:

  Several body texts possible:

  1.

  Congratulations! PayPal has successfully charged $175 to your credit
  card. Your order tracking number is A866DEC0, and your item will be shipped
  within three business days.

  To see details please click this link
  DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by
  an automated message system and the reply will not be received.

  Thank you for using PayPal.

  2.

  Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

  3.

  Hi! I am looking for new friends.
  My name is Jane, I am from Miami, FL.
  See my homepage with my weblog and last webcam photos!
  See you!

• Attachment: None

The worm does not come as an attachment. Instead the mails received contain a link to a malformed HTML page residing on another infected system. If the user clicks on this link a buffer overflow exploit will occur in Internet Explorer, causing it to download and execute the worm.

When the worm is first run it will copy itself to the Windows System folder, using a random name that always ends with ''32" - f.ex. jaicbw32.exe. It will attempt to copy itself into the memory space of  the Windows Explorer process, thus be invisible in the process list. From here it will set up a web server and start its emailing routine.

The worm will make a number of changes to the registry: