NEWS FROM THE LAB - Tuesday, November 9, 2004

New Mydooms, new exploits Posted by Mikko @ 06:57 GMT

Two new Mydoom variants have been found last night. They are considerably different from previous Mydooms.

They do spread over email, like Mydooms normally do. However, these new variants do not send attachments at all; instead they send emails with links to a website. There are several different emails, for example:

  Congratulations! PayPal has successfully charged $175 to your credit
  card. Your order tracking number is 866DEC0A, and your item will be
  shipped within three business days.
  To see details please click this link

Interestingly, the link points to a website which is actually running on the infected machine that sent the email in the first place. The worm accomplishes this by installing a small web server on port 1639 (or similar) on each infected machine. This technique is a bit similar to what for example Blaster worm does to transfer itself to each infected machine; instead of using a central download server it turns each infected machine to one.

Even more interestingly, the web page uses a brand new IFRAME vulnerability in Internet Explorer to infect the computer. There's no patch for Windows 2000 or XP SP1 yet. Windows XP SP2 is not vulnerable.

However, so far we we haven't seen significant amounts of infections reported to us.

We detect these two new Mydoom variants as Mydoom.AG and Mydoom.AH with our updates published today as 2004-11-09_01.