W32/Mydoom.ah@MM Last Updated 11/10/04 4:30PM

CIT has been notified of a new email virus called W32/Mydoom.ah@MM. W32/Mydoom.ah@MM attempts to exploit a new buffer overflow vulnerability in the way Microsoft's Internet Explorer handles IFRAME. The virus spreads by email sending out messages with a link back to the infected machine. Using the IFRAME exploit, anyone who opens the link with Internet Explorer will automatically download and run the virus from the machine that sent the email.

Note: This exploit does not affect Internet Explorer 6 with Windows XP SP2

The message will appear as:

From: Spoofed email address (example: exchange-r0bot@paypal.com)

Subject: varies and may be similar to those below:

• hi!
• hey!
• Confirmation
• blank with no subject line

Body: varies and may be similar to one of the following:

• Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

  To see details please click this link .

  DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

  Thank you for using PayPal.

• Hi! I am looking for new friends. My name is Jane, I am from Miami, FL. See my homepage with my weblog and last webcam photos!

Also included is a link that resolves to the infected system that sent the email message. By clicking on the link, the user is directed back to a web server running on the compromised system. This will automatically execute the malicious code, utilizing the IFRAME exploit, on the computer from which the link was opened.

Attachment: none

When the virus infects the system it performs the following actions:

• install a web server listening on TCP Port 1639.
• modify the registry to run at startup as an executeable name *32.exe where * is a random set of letters. (Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe)
• attempt to connect to a list of IRC servers on port 6667.
• collect email addresses located on the system and send out email, similar the ones described above, to the addresses found on the sytem using a spoofed address. This virus uses its own smtp engine to send email.

McAfee (formerly NAI) has released SuperDat 4405 and later to detect and remove W32/Mydoom.ah@mm.

Symantec has released definitions dated 11/09/04 and later to detect and remove Mydoom.ah@MM. Definitions are available thorugh the LiveUpdate feature of Symantec Antivirus.

For more Information:

http://vil.nai.com/vil/content/v_129631.htm from McAfee.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ah@mm.html from Symantec.

http://www.kb.cert.org/vuls/id/842160 from US CERT regarding the IFRAME vulnerability

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.