Codezwiz >> Forums >> The Board >> Double MyDoom for IE flaw

Thought I better bring this to EVERYONE's attention !!

**************************************************

A second version of the MyDoom variant that uses a flaw in Internet Explorer has
started to spread, antivirus researchers said on Tuesday.

The two MyDoom viruses, which differ mainly in the e-mail message sent to potential
victims, use a recently publicized vulnerability in Microsoft's browser software to infect
PCs after the users click on a simple Web link. However, the viruses are not spreading
widely because the author failed to use the flaw to the best possible advantage, said
Alfred Huger, senior director of security response at antivirus software maker
Symantec.

"The author makes it relatively hard for the virus to infect systems," he said. "Thankfully,
that makes the spread rate smaller than it could be."

Symantec has only received about 40 reports of the new MyDoom.AI and the older
MyDoom.AH variants. It has rated the viruses a "2" on its five-point threat scale, in which
"5" marks a dire online threat. On Monday night, after CNET News.com reported the first
of the two viruses, antivirus company McAfee raised its threat rating to a "medium" from
a "low."

The viruses use a vulnerability in Microsoft's Internet Explorer 6.0 that allows an attacker
to run a program on a computer just by getting the user to click on a link. Details of the
flaw appeared on security forums last week. Because the flaw exploits an issue with
how Microsoft's browser software handles certain attributes--including the iframe,
frame and embedded HTML tags--it has been dubbed the IFrame vulnerability.

The flaw affects Internet Explorer 6.0 on Windows 2000 and Windows XP Service Pack
1. Users who have installed Windows XP Service Pack 2 are immune to the programs
that use the vulnerability, including the two new variants of the MyDoom virus.

Microsoft said Monday that it was investigating the flaw and was aware of a virus
exploiting the issue.

"As a best practice, users should always exercise extreme caution when opening
unsolicited attachments from both known and unknown sources," said Microsoft in a
statement sent to CNET News.com. "In addition, we continue to encourage customers
follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates
and installing antivirus software."

The latest MyDooms appear as an e-mail in an inbox. The body of the message sent by
one version of the virus states: "Look at my homepage with my last webcam photos!" or
"FREE ADULT VIDEO! SIGN UP NOW!" The second variation of the program sends
messages looking for new friends or spoofing a PayPal notification that the service had
charged the recipient's credit card.

All messages have text that links them to a Web page generated by the virus and hosted
on the infected computer that originally sent the e-mail.

When the victim clicks on the link, a Windows-based PC will call up Internet Explorer and
load a malicious Web page from the previously infected computer. The page contains the
IFrame vulnerability, which the viruses use to execute code on the victim's computer,
infecting the system. Both of the MyDoom variants harvest e-mail addresses on the
compromised system, send out e-mail to spread the viruses further, set up Web servers
and attempt to contact several Internet relay chat (IRC) servers as a way to notify the
virus's creator that a new system has been compromised.

The viruses apparently share some source code with the original MyDoom viruses, but
otherwise are so dissimilar that it suggests a different author than the one who wrote
the original virus, Huger said.

"We think he borrowed the shell code from someone else," he said. "It largely looks like a
cut-and-paste virus."

Antivirus company F-Secure has decided the differences are so great that the virus
should not earn the MyDoom monicker. F-Secure compared the code of previous
MyDoom variants and the current viruses and only found a 49 percent correlation, the
company stated on its Web site.

It's not the first time a code writer has exploited a flaw in a Microsoft product before the
software giant has had a chance to plug the hole. An aggressive advertiser attempted to
surreptitiously install a pop-up toolbar in victims' Web browsers using two previously
unpatched security flaws in Internet Explorer.

F-Secure noted that the MyDoom viruses exploited the Internet Explorer flaw in near
record time. The only recent infectious program to take advantage of a flaw faster than
the current MyDoom variants was the Witty worm, released in March.

Source: zdnet.com

Just use Firefox, it's better in almost every respect bar the fact that some annoying websites aren't fully compliant with web standards but IEs renderer still displays them fine, Firefox being my compliant and strict will render them how they should be rendered and therefore look bad.

About your sig, the staff probably took it off because it was too big or was breaking some sig rule.

Yeah I always use Firefox, in my opinion its the "Dog's B*****ks" as they say LMAO
I only occassionally use IE .

Yeah I know all about my sig, just haven't got around to changing it yet LOL