November 9, 2004 12:00 PM PST
Double MyDoom for Internet Explorer flaw
The two MyDoom viruses, which differ mainly in the e-mail message sent to potential victims, use a recently publicized vulnerability in Microsoft's browser software to infect PCs after the users click on a simple Web link. However, the viruses are not spreading widely because the author failed to use the flaw to the best possible advantage, said Alfred Huger, senior director of security response at antivirus software maker Symantec.
"The author makes it relatively hard for the virus to infect systems," he said. "Thankfully, that makes the spread rate smaller than it could be."
Symantec has only received about 40 reports of the new MyDoom.AI and the older MyDoom.AH variants. It has rated the viruses a "2" on its five-point threat scale, in which "5" marks a dire online threat. On Monday night, after CNET News.com reported the first of the two viruses, antivirus company McAfee raised its threat rating to a "medium" from a "low."
The viruses use a vulnerability in Microsoft's Internet Explorer 6.0 that allows an attacker to run a program on a computer just by getting the user to click on a link. Details of the flaw appeared on security forums last week. Because the flaw exploits an issue with how Microsoft's browser software handles certain attributes--including the iframe, frame and embedded HTML tags--it has been dubbed the IFrame vulnerability.
The flaw affects Internet Explorer 6.0 on Windows 2000 and Windows XP Service Pack 1. Users who have installed Windows XP Service Pack 2 are immune to the programs that use the vulnerability, including the two new variants of the MyDoom virus.
Microsoft said Monday that it was investigating the flaw and was aware of a virus exploiting the issue.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," said Microsoft in a statement sent to CNET News.com. "In addition, we continue to encourage customers follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."
The latest MyDooms appear as an e-mail in an inbox. The body of the message sent by one version of the virus states: "Look at my homepage with my last webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" The second variation of the program sends messages looking for new friends or spoofing a PayPal notification that the service had charged the recipient's credit card.
All messages have text that links them to a Web page generated by the virus and hosted on the infected computer that originally sent the e-mail.
When the victim clicks on the link, a Windows-based PC will call up Internet Explorer and load a malicious Web page from the previously infected computer. The page contains the IFrame vulnerability, which the viruses use to execute code on the victim's computer, infecting the system. Both of the MyDoom variants harvest e-mail addresses on the compromised system, send out e-mail to spread the viruses further, set up Web servers and attempt to contact several Internet relay chat (IRC) servers as a way to notify the virus's creator that a new system has been compromised.
The viruses apparently share some source code with the original MyDoom viruses, but otherwise are so dissimilar that it suggests a different author than the one who wrote the original virus, Huger said.
"We think he borrowed the shell code from someone else," he said. "It largely looks like a cut-and-paste virus."
Antivirus company F-Secure has decided the differences are so great that the virus should not earn the MyDoom monicker. F-Secure compared the code of previous MyDoom variants and the current viruses and only found a 49 percent correlation, the company stated on its Web site.
It's not the first time a code writer has exploited a flaw in a Microsoft product before the software giant has had a chance to plug the hole. An aggressive advertiser attempted to surreptitiously install a pop-up toolbar in victims' Web browsers using two previously unpatched security flaws in Internet Explorer.
F-Secure noted that the MyDoom viruses exploited the Internet Explorer flaw in near record time. The only recent infectious program to take advantage of a flaw faster than the current MyDoom variants was the Witty worm, released in March.