[ISN] New MyDoom draws on IE flaw to spread

InfoSec News isn at c4i.org
Tue Nov 9 06:53:25 EST 2004


By Robert Lemos 
Staff Writer, CNET News.com
November 8, 2004

A new version of MyDoom uses an unpatched flaw in Microsoft's Internet
Explorer to spread, antivirus companies warned on Monday.

The recently discovered vulnerability in the browser software allows
the offshoot to infect a PC after a user clicks on a link, according
to advisories from security software makers Symantec and McAfee. The
program sneaks past antivirus applications that detect malicious
software by scanning e-mail messages with attached programs.

The companies said they had only detected a few instances of the
infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by

"We have only received one submission from the field, but the
technical aspects of this are concerning," said Craig Schmugar, senior
virus research manager at McAfee. "It has all the components there to
become a significant virus."

It's not the first time a code writer has exploited a flaw in a
Microsoft product before the software giant has had a chance to plug
the hole. An aggressive advertiser attempted to surreptitiously
install a pop-up toolbar in victim's Web browsers using two previously
unpatched security flaws in Internet Explorer.

Microsoft said that it was investigating the flaw and was aware of a
new virus exploiting the issue.

"As a best practice, users should always exercise extreme caution when
opening unsolicited attachments from both known and unknown sources,"  
said Microsoft in a statement sent to CNET News.com. "In addition, we
continue to encourage customers follow our 'Protect Your PC' guidance
of enabling a firewall, getting software updates and installing
antivirus software."

The latest MyDoom virus appears as an e-mail in an inbox. The body of
the message states: "Look at my homepage with my last webcam photos!"  
or "FREE ADULT VIDEO! SIGN UP NOW!" Both messages have text that links
them to a Web page generated by the virus and hosted on the infected
computer that sent the e-mail.

 When the victim clicks on the link, a Windows-based PC will call
Internet Explorer and load a malicious Web page from the previously
infected computer. The page contains the IFrame vulnerability recently
publicized on security mailing lists. The virus uses the flaw to
execute code on the victim's computer, infecting the system. The virus
harvests e-mail addresses on the compromised system, sends out mail to
spread the virus further, sets up a Web server and attempts to contact
several Internet relay chat (IRC) servers as a way to notify the
virus's creator of that a new system has been compromised.

The fact that the virus creates a Web server and uses that server to
infect other systems is a significant departure from previous versions
of MyDoom, and other viruses in general, Schmugar said.

"There was a decent amount of work that went into this," he said.  
"There was a good bit of attention (among security researchers) to the
demo code (of this flaw). Someone grabbed the demo code and tweaked it
quite a bit."

McAfee rates the program a low threat, but Schmugar said he thinks it
might spread widely.

More information about the ISN mailing list