Attention IE 6.0 Users: Another Worm Variant
New Version of MyDoom Worm in Zero-Day Attack
By Larry Seltzer, eWEEK
November 9, 2004
Anti-virus companies are reporting a worm that spreads via a new vulnerability in Internet Explorer. The vulnerability is not present in Windows XP Service Pack 2, but in all earlier versions of Internet Explorer 6, and no patch is available. It involves a buffer overflow triggered by an IFRAME or EMBED tag, which has an oversized SRC or NAME attribute.
The worm, known as MyDoom.ag in McAfee's naming, does not have a file attachment, as is typical of mail worms. Instead, it installs a Web server on Port 1639 of the infected system. The e-mails it sends out to spread itself contains a link to the server on the infected computer.
The page served when a user clicks the link, which takes the form http://aaa.bbb.ccc.ddd:1639/webcam.htm (where aaa.bbb.ccc.ddd is the IP address of the infected user), invokes the Internet Explorer vulnerability. The worm then takes over, downloading more files and spreading itself.
The use of an IP address means that users behind an NAT server cannot effectively spread the worm. Indeed, Ken Dunham, director of malicious code at iDefense Inc., said, "Home and SOHO users without sufficient perimeter defenses are most likely to be victimized."
posted by Richard at
Thursday, November 11, 2004
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home