Experts are warning Windows users about two Mydoom variants that could gain some traction due to clever social engineering and the ability to auto-execute when the recipient clicks an e-mailed URL. Microsoft has yet to release a patch for the IFRAME vulnerability they exploit.
Mydoom-AG@mm, called "Bofra" by Sophos, uses a spoofed from address and a number of subject lines, including:
"…this worm represents increased risk and this vulnerability may be attacked by other malcode or malicious Web sites," said Dave Kennedy, director of research services at Cybertrust, formerly TruSecure Corp. "This worm's author, or another, could quickly modify the code to create malcode that would avoid detection and create risk."
That worm was quickly followed by a variant, Mydoom-AH, which installs a Web server on the infected system to host the IFRAME vulnerability and has better inducement to click on the link provided. Once again, the from address is spoofed and subjects vary, from being left blank to including:
The body is either: "Congratulations! PayPal has successfully charged $175 to your credit
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
- card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal." or "Hi! I am looking for new friends. My name is Jane, I am from Miami, FL. See my homepage with my weblog and last webcam photos! See you!"
According to Cybertrust, clicking on the link infects the user with Mydoom-AH and installs a Web server. The worm searches then for e-mail addresses and begins sending out bait e-mails.
Though neither is spreading quickly as the original Mydoom did, experts believe additional variants may be on the way.
"Cybercriminals continue to compress the timeline for attack," Ken Dunham, director of malicious code at Reston, Va.-based iDefense said in a statement. "Mydoom-AF comes less than a week after the vulnerability was posted online, and more variants and other worms are likely to attack the IFRAME vulnerability as criminals attempt to take advantage of this situation prior to a patch being released."
"Companies and individual users should take caution, as Mydoom has a history of spreading rapidly, evolving in the underground, and evading traditional security technologies," added Dunham.
The IFRAME vulnerability is caused by a boundary error in the handling of attributes in the IFRAME HTML tag that can be exploited to cause a buffer overflow.
Windows XP with SP2 is not affected by this vulnerability. Other Windows users can disable active scripting and the Windows scripting host. Cybertrust recommends reading HTML mail as plaintext and disabling the Preview Pane in Outlook, not following unsolicited HTML links, and maintaining up-to-date antivirus desktop, e-mail gateway and Web content filtering solutions.
More information on Mydoom-AG
More information on Mydoom-AH.
This article originally appeared on SearchSecurity.com.