Sponsor for PC Pals Forum

Author Topic: MyDoom strikes again through IE flaw  (Read 779 times)

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
MyDoom strikes again through IE flaw
« on: November 09, 2004, 12:04 »
Robert Lemos
CNET News.com
November 09, 2004, 08:53 GMT
 
A new version of MyDoom uses an unpatched flaw in Microsoft's Internet Explorer to spread, antivirus companies warned on Monday.

The recently discovered vulnerability in the browser software allows the offshoot to infect a PC after a user clicks on a link, according to advisories from security software makers Symantec and McAfee. The program sneaks past antivirus applications that detect malicious software by scanning email messages with attached programs.

The companies said they had only detected a few instances of the infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by Symantec.

Craig Schmugar, senior virus research manager at McAfee, said: "We have only received one submission from the field, but the technical aspects of this are concerning." "It has all the components there to become a significant virus."

It's not the first time a code writer has exploited a flaw in a Microsoft product before the software giant has had a chance to plug the hole. An aggressive advertiser attempted to surreptitiously install a pop-up toolbar in victim's Web browsers using two previously unpatched security flaws in Internet Explorer.

Microsoft said that it was investigating the flaw and was aware of a new virus exploiting the issue.

"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," said Microsoft in a statement sent to ZDNet UK sister site CNET News.com. "In addition, we continue to encourage customers follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

The latest MyDoom virus appears as an email in an inbox. The body of the message states: "Look at my homepage with my last Webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" Both messages have text that links them to a Web page generated by the virus and hosted on the infected computer that sent the email.

When the victim clicks on the link, a Windows-based PC will call Internet Explorer and load a malicious Web page from the previously infected computer. The page contains the IFrame vulnerability recently publicised on security mailing lists. The virus uses the flaw to execute code on the victim's computer, infecting the system. The virus harvests email addresses on the compromised system, sends out mail to spread the virus further, sets up a Web server and attempts to contact several internet relay chat (IRC) servers as a way to notify the virus's creator of that a new system has been compromised.

The fact that the virus creates a Web server and uses that server to infect other systems is a significant departure from previous versions of MyDoom, and other viruses in general, Schmugar said.

"There was a decent amount of work that went into this," he said. "There was a good bit of attention [among security researchers] to the demo code [of this flaw]. Someone grabbed the demo code and tweaked it quite a bit."

McAfee rates the program a low threat, but Schmugar said he thinks it might spread widely.
 

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:MyDoom strikes again through IE flaw
« Reply #1 on: November 09, 2004, 17:38 »
When will people learn?   ::) :P ;D ;D
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Re:MyDoom strikes again through IE flaw
« Reply #2 on: November 09, 2004, 18:44 »
Bofra worms spread via unpatched Internet Explorer security hole, Sophos reports
 
Users who click on links inside emails sent by the worm, may be putting themselves at risk of infection.

Users who think they are clicking on an adult webcam link may catch a nasty infection

Updated 9 November 2004

Experts at Sophos have warned users to be wary of unsolicited emails which attempt to lure users into clicking on a link, but which really enable a malicious family of worms to infect their Windows computers.

Sophos is reporting many sightings of emails designed to fool users into being infected by the W32/Bofra family of worms (also known as W32/Mydoom.AG, W32/Mydoom.AH, or W32/Mydoom.AI).

Emails sent by the W32/Bofra-A worm use a variety of different subject lines and message bodies, including:


Subject lines:
Hello
funny photos :)

Message bodies:
Look at my homepage with my last webcam photos!
FREE ADULT VIDEO! SIGN UP NOW!

Emails sent by W32/Bofra-B have the following characteristics:


Subject line:
Confirmation


Message body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

Full story - more:  http://www.sophos.com/virusinfo/articles/bofra.html

Offline Simon

  • Administrator
  • *****
  • Posts: 77923
  • First to score 7/7 in Quiz of The Week's News 2017
Re:MyDoom strikes again through IE flaw
« Reply #3 on: November 10, 2004, 20:49 »
:-X
Many thanks to all our members, who have made PC Pals such an outstanding success!   :thumb:

Offline Clive

  • Administrator
  • *****
  • Posts: 75153
  • Won Quiz of the Year 2015,2016,2017, 2020, 2021
Re:MyDoom strikes again through IE flaw
« Reply #4 on: November 10, 2004, 20:51 »
:shuddup:


Show unread posts since last visit.
Sponsor for PC Pals Forum