More Mydooms on the move

Two new auto-execute variants are circulating that take advantage of the Windows IFRAME flaw.

Experts are warning Windows users about two Mydoom variants that could gain some traction due to clever social engineering and the ability to auto-execute when the recipient clicks an e-mailed URL. Microsoft has yet to release a patch for the IFRAME vulnerability they exploit.

Mydoom-AG@mm, called "Bofra" by Sophos, uses a spoofed from address and a number of subject lines, including:

  • funny photos :)
  • hello
  • hey!
  • It also could instead display random characters or be left blank. The body text is either "Look at my homepage with my last webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" that are links to an external Web site that uses the IFRAME exploit to infect the victim.

    "…this worm represents increased risk and this vulnerability may be attacked by other malcode or malicious Web sites," said Dave Kennedy, director of research services at Cybertrust, formerly TruSecure Corp. "This worm's author, or another, could quickly modify the code to create malcode that would avoid detection and create risk."

    That worm was quickly followed by a variant, Mydoom-AH, which installs a Web server on the infected system to host the IFRAME vulnerability and has better inducement to click on the link provided. Once again, the from address is spoofed and subjects vary, from being left blank to including:

  • hi!
  • hey!
  • Confirmation
  • The body is either: "Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal." or "Hi! I am looking for new friends. My name is Jane, I am from Miami, FL. See my homepage with my weblog and last webcam photos! See you!"

    According to Cybertrust, clicking on the link infects the user with Mydoom-AH and installs a Web server. The worm searches then for e-mail addresses and begins sending out bait e-mails.

    Though neither is spreading quickly as the original Mydoom did, experts believe additional variants may be on the way.

    "Cybercriminals continue to compress the timeline for attack," Ken Dunham, director of malicious code at Reston, Va.-based iDefense said in a statement. "Mydoom-AF comes less than a week after the vulnerability was posted online, and more variants and other worms are likely to attack the IFRAME vulnerability as criminals attempt to take advantage of this situation prior to a patch being released."

    "Companies and individual users should take caution, as Mydoom has a history of spreading rapidly, evolving in the underground, and evading traditional security technologies," added Dunham.

    The IFRAME vulnerability is caused by a boundary error in the handling of attributes in the IFRAME HTML tag that can be exploited to cause a buffer overflow.

    Windows XP with SP2 is not affected by this vulnerability. Other Windows users can disable active scripting and the Windows scripting host. Cybertrust recommends reading HTML mail as plaintext and disabling the Preview Pane in Outlook, not following unsolicited HTML links, and maintaining up-to-date antivirus desktop, e-mail gateway and Web content filtering solutions.

    More information on Mydoom-AG
    More information on Mydoom-AH.

    This article originally appeared on SearchSecurity.com.

    Dig deeper on Network intrusion detection and prevention and malware removal

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close