The worms, classified into either the Bofra or MyDoom families by antivirus firms, are unusual in several respects, propagating without the need for attachments and using social engineering tricks often found in phishing attacks.
Several security firms noted a significant number of submissions since Bofra hit the Internet on Monday, and issued medium seriousness alerts accordingly.
Rather than send itself as an executable email attachment, a trick even the dumbest of email users must be getting wise to by now, Bofra installs a web server and emails the IP address of the compromised machine as a link to its next wave of victims.
People who click that link and are running a vulnerable version of IE (any version of IE 6, unless XP Service Pack 2 is also installed) find themselves downloading the worm from the previously compromised machines.
Previously, worms that have relied on victims downloading and running executables from the web have relied on a small number of web servers to distribute the bad code, and have been fairly easy to have shut down.
Because Bofra directs each wave of victims to the IP address of the previous victim, this is one occasion when being behind a NAT (network address translation) firewall actually can protect, if not against infection than at least against propagation.
The worm harvests its email addresses locally on machines it infects. The text of the email purports to come from PayPal or from a girl with a webcam. It installs a Trojan so that attackers can access the machine for further naughtiness.
Antivirus companies named the worms either Bofra.A and B or MyDoom.AG, AH or AI. F-Secure Corp said they share only 49% of the characteristics of MyDoom and should probably be classified as a new family. Sophos coined the name Bofra.
