RealTime IT News

New MyDoom Variant Aims at IE Hole

It's time to face Doom yet again. The latest MyDoom virus variant is once again running amok across the Internet, according to reports from security firms.

The latest version of the worm is referred to as W32/Mydoom.ah@MM, or Mydoom.ah. The latest MyDoom variant takes advantage of the recently publicized Microsoft Internet Explorer IFRAME buffer overflow vulnerability.

Windows XP SP2 users are not at risk. However, users running XP without the latest service pack upgrade, or using running a non-XP Windows OS (such as Windows 2000) are potentially at risk.

Like the previous members of the Mydoom family, the worm contains its own SMTP mailing engine, which allows it to construct and send outgoing e-mails. It swipes e-mail addresses from a user's machine and uses those addresses in the 'From' field of the outgoing messages. All that means is that users who receive Mydoom.ah messages will have received them from a "spoofed" or forged e-mail address that is not the actual sender of the email.

According to a McAfee advisory, unlike many of the other Mydoom variants, there is no attachment to the message.

"The homepage or link hyperlink points to the infected system that sent the e-mail message. Clicking on the link, accesses a Web server running on the compromised system," McAfee said in a warning. "The Web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus."

The message payloads of the virus that are being reported by security firms are many and varied. They include forged PayPal messages, as well as subject lines such as "funny photos," ":)"; "hello" and "hey!"

Ken Dunham, director of malicious code at security firm iDEFENSE, noted that well-protected corporate environments would be at less risk than home users and small office/home office (SOHO) users. In his estimation, well-protected corporate users are less likely to be able to access the hostile site. Home and SOHO users without the proper protections are likely to be victimized.

"Cyber criminals continue to compress the timeline for attack," Dunham said in a statement. "MyDoom.AF comes less than a week after the vulnerability was posted online, and more variants and other worms are likely to attack the IFRAME vulnerability as criminals attempt to take advantage of this situation prior to a patch being released."