New Version of MyDoom Worm in Zero-Day AttackBy Larry Seltzer | Posted 2004-11-09 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Buffer overflow in fully patched pre-SP2 Internet Explorer allows arbitrary code execution.
Anti-virus companies are reporting a worm that spreads via a new vulnerability in Internet Explorer.
The vulnerability is not present in Windows XP Service Pack 2, but in all earlier versions of Internet Explorer 6, and no patch is available. It involves a buffer overflow triggered by an IFRAME or EMBED tag, which has an oversized SRC or NAME attribute.
The worm, known as MyDoom.ag in McAfee's naming, does not have a file attachment, as is typical of mail worms. Instead, it installs a Web server on Port 1639 of the infected system. The e-mails it sends out to spread itself contains a link to the server on the infected computer.
The page served when a user clicks the link, which takes the form http://aaa.bbb.ccc.ddd:1639/webcam.htm (where aaa.bbb.ccc.ddd is the IP address of the infected user), invokes the Internet Explorer vulnerability. The worm then takes over, downloading more files and spreading itself.
The use of an IP address means that users behind an NAT server cannot effectively spread the worm. Indeed, Ken Dunham, director of malicious code at iDefense Inc., said, "Home and SOHO users without sufficient perimeter defenses are most likely to be victimized."
Most other anti-virus vendors are also terming the new worm a MyDoom variant, although Sophos plc. calls it Bofra-A. Vendors are generally terming this a low threat because it hasn't been seen in the wild, but some have elevated the threat because of the new techniques and the absence of a patch for the vulnerability.
Check out eWEEK.com's for the latest security news, reviews and analysis.