Lucene search
Bofra Virus Detection
🗓️ 03 Nov 2005 00:00:00Reported by This script is Copyright (C) 2004 Brian Smith-SweeneyType 
openvas🔗 plugins.openvas.org👁 17 Views
The remote host is infected with the Bofra virus, which uses an Internet Explorer IFRAME exploit
Show more
10
| Source | Link |
|---|---|
| securityresponse | www.securityresponse.symantec.com/avcenter/venc/data/[email protected] |
# OpenVAS Vulnerability Test
# $Id: bofra_detect.nasl 6053 2017-05-01 09:02:51Z teissa $
# Description: Bofra Virus Detection
#
# Authors:
# Brian Smith-Sweeney ([email protected])
# http://www.smithsweeney.com
#
# Copyright:
# Copyright (C) 2004 Brian Smith-Sweeney
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
tag_summary = "The remote host seems to have been infected with the Bofra virus or one of its
variants, which infects machines via an Internet Explorer IFRAME exploit.
It is very likely this system has been compromised.";
tag_solution = "Re-install the remote system.
";
# Created: 11/15/04
# Last Updated: 11/15/04
if(description)
{
script_id(15746);
script_version("$Revision: 6053 $");
script_tag(name:"last_modification", value:"$Date: 2017-05-01 11:02:51 +0200 (Mon, 01 May 2017) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2004-1050");
script_bugtraq_id(11515);
name = "Bofra Virus Detection";
summary = "Determines the presence of a Bofra virus infection resulting from an IFrame exploit";
family = "Malware";
script_name(name);
script_category(ACT_GATHER_INFO);
script_tag(name:"qod_type", value:"remote_analysis");
script_copyright("This script is Copyright (C) 2004 Brian Smith-Sweeney");
script_family(family);
script_dependencies('http_version.nasl');
script_require_ports(1639);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_xref(name : "URL" , value : "http://securityresponse.symantec.com/avcenter/venc/data/[email protected]");
exit(0);
}
#
# User-defined variables
#
# This is where we saw Bofra; YMMV
port=1639;
#
# End user-defined variables; you should not have to touch anything below this
#
# Get the appropriate http functions
include("http_func.inc");
include("http_keepalive.inc");
if ( ! get_port_state ( port ) ) exit(0);
# Prep & send the http get request, quit if you get no answer
req = http_get(item:"/reactor",port:port);
res = http_keepalive_send_recv(port:port, data:req);
if ( res == NULL ) exit(0);
hex_res=hexstr(res);
if ("3c0049004600520041004d00450020005300520043003d00660069006c0065003a002f002f00" >< hex_res )
security_message(port);
else {
if (egrep(pattern:"<IFRAME SRC=file://",string:res)){
security_message(port);
}
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo03 Nov 2005 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.74457