New Version of MyDoom Worm in Zero-Day Attack

Buffer overflow in fully patched pre-SP2 Internet Explorer allows arbitrary code execution.

Anti-virus companies are reporting a worm that spreads via a new vulnerability in Internet Explorer.

The vulnerability is not present in Windows XP Service Pack 2, but in all earlier versions of Internet Explorer 6, and no patch is available. It involves a buffer overflow triggered by an IFRAME or EMBED tag, which has an oversized SRC or NAME attribute.

/zimages/6/28571.gifWhat will be the next great worm? Find out here.

The worm, known as MyDoom.ag in McAfees naming, does not have a file attachment, as is typical of mail worms. Instead, it installs a Web server on Port 1639 of the infected system. The e-mails it sends out to spread itself contains a link to the server on the infected computer.

The page served when a user clicks the link, which takes the form http://aaa.bbb.ccc.ddd:1639/webcam.htm (where aaa.bbb.ccc.ddd is the IP address of the infected user), invokes the Internet Explorer vulnerability. The worm then takes over, downloading more files and spreading itself.

The use of an IP address means that users behind an NAT server cannot effectively spread the worm. Indeed, Ken Dunham, director of malicious code at iDefense Inc., said, "Home and SOHO users without sufficient perimeter defenses are most likely to be victimized."

/zimages/6/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Most other anti-virus vendors are also terming the new worm a MyDoom variant, although Sophos plc. calls it Bofra-A. Vendors are generally terming this a low threat because it hasnt been seen in the wild, but some have elevated the threat because of the new techniques and the absence of a patch for the vulnerability.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis.