New MyDooms or Not New MyDooms?
Hmmm….. well it seems that we are off to a good start today!
First I received a number of alerts about two new MyDoom variants that appear to have ‘got lucky’ and are spreading in the wild.
Links to descriptions of these so-called MyDooms:
Now, however it seems they may not be MyDooms at all, but something altogether new instead.
I just adore the ‘high-tech’ illustration of the spreading mechanism on this blog 
So what do we know about them so far?
Well the following is the current facts that have been established:
-
It uses the new vulnerability only discovered on the 2nd of November. This vulnerability is in Internet Explorer 6 and will work on unpatched systems. The vulnerability is linked to the use of the IFRAME html tags and how they are parsed. More details on this can be found here. NO PATCH EXISTS AT THE TIME OF POSTING
-
The worm arrives as an e-mail, the following are the body texts that have been seen so far, there are probably others:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link. DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal OR: Hi! I am looking for new friends.My name is Jane, I am from Miami, FL. See my homepage with my weblog and last webcam photos! See you! OR: Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!
-
There is NO attachment, the worm gets installed when the recipient clicks on the link (only installs itself on an unpatched system, not non-vulnerable system, such as Windows XP with SP2, Firefox or Linux ).
-
The link leads to an already infected system, which ses the vulnerability to install the binary code of the worm onto the recipients system. The worm then installs itself, which spawns a ‘web server’ (believed to be on port 1639) to host the infected file on, and then sends out e-mails (with forged from addresses) to potential new
victims. - It also connects to IRC.
Help?
So, what do you use to disinfect yourself at this time? I suggest this for now: McAfee’s Stinger.
To stop the exploit in its tracks, you can do the following:
Use another browser, such as Mozilla, Firefox, etc. instead of IE6.
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
