November 8, 2004 4:57 PM PST

New MyDoom draws on IE flaw to spread

A new version of MyDoom uses an unpatched flaw in Microsoft's Internet Explorer to spread, antivirus companies warned on Monday.

The recently discovered vulnerability in the browser software allows the offshoot to infect a PC after a user clicks on a link, according to advisories from security software makers Symantec and McAfee. The program sneaks past antivirus applications that detect malicious software by scanning e-mail messages with attached programs.

The companies said they had only detected a few instances of the infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by Symantec.

"We have only received one submission from the field, but the technical aspects of this are concerning," said Craig Schmugar, senior virus research manager at McAfee. "It has all the components there to become a significant virus."

It's not the first time a code writer has exploited a flaw in a Microsoft product before the software giant has had a chance to plug the hole. An aggressive advertiser attempted to surreptitiously install a pop-up toolbar in victim's Web browsers using two previously unpatched security flaws in Internet Explorer.

Microsoft said that it was investigating the flaw and was aware of a new virus exploiting the issue.

"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," said Microsoft in a statement sent to CNET "In addition, we continue to encourage customers follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

The latest MyDoom virus appears as an e-mail in an inbox. The body of the message states: "Look at my homepage with my last webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" Both messages have text that links them to a Web page generated by the virus and hosted on the infected computer that sent the e-mail.

When the victim clicks on the link, a Windows-based PC will call Internet Explorer and load a malicious Web page from the previously infected computer. The page contains the IFrame vulnerability recently publicized on security mailing lists. The virus uses the flaw to execute code on the victim's computer, infecting the system. The virus harvests e-mail addresses on the compromised system, sends out mail to spread the virus further, sets up a Web server and attempts to contact several Internet relay chat (IRC) servers as a way to notify the virus's creator of that a new system has been compromised.

The fact that the virus creates a Web server and uses that server to infect other systems is a significant departure from previous versions of MyDoom, and other viruses in general, Schmugar said.

"There was a decent amount of work that went into this," he said. "There was a good bit of attention (among security researchers) to the demo code (of this flaw). Someone grabbed the demo code and tweaked it quite a bit."

McAfee rates the program a low threat, but Schmugar said he thinks it might spread widely.


Join the conversation!
Add your comment
Firewall won't do much good here...
It comes in as a link through email, and then downloads itself using HTTP. A firewall is totally useless here. Unless you completely blok HTTP, but then you could even just disconnect from the Internet, and then you also no longer need a firewall...

The remedies proposed by M$ aren't helping much... Their complete security approach is flawed.

And don't come arguing that M$ is most exposed because of their market penetration. There are countless programmers working for open source, don't tell me they all have only good intentions.
The only reason M$ is taking the heat is because they make it sooooooo easy.
Posted by Steven N (487 comments )
Reply Link Flag
Firewalls are really meant to keep hackers out of your system and help you control what programs access the internet. The product to use in this case would be your anti-virus software (along with common sense). By keeping your computer up-to-date you can reduce the risk of catching th3 virus.
Posted by Michael00360 (58 comments )
Link Flag
up-to-date won't help... M$ hasn't patched anything yet.

So the only thing that is still "valid" of their security approach is the antivir.

My approach is: ditch IE and you have a lot less worries
Posted by Steven N (487 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.