NEWS FROM THE LAB - Tuesday, November 9, 2004

More on the new IFRAME worms Posted by Mikko @ 08:30 GMT

Turns out these new Mydoom.AG and Mydoom.AH variants might not be Mydooms at all. Our comparison tools show only around 49% correlation between these and the last Mydooms. So that would explain why the technique is so different.

These viruses are also one of the fastest ever to take advantage of a new security vulnerability. The exploit was only posted publicly on Friday, and the viruses were out by Tuesday.

So the virus spreads in four steps:

1 Infected machine ("predator") sends out tons of emails with a link
2 Recipient on target machine ("prey") follows the link back to a website on the Infected machine
3 Exploit on the web page downloads and runs the virus, turning the prey to another predator
4 Repeat

To make this clearer, have a look at our high-tech illustration:

High-tech illustration