Re: W32/Mydoom.ag@MM - Heads Up!
From: Brian A. (gonefis'n_at_afarawaylake)
Date: 11/09/04
- Next message: Harry Ohrn: "Re: Norton Ghost (Off Topic)"
- Previous message: Malke: "Re: XP and FireFox"
- In reply to: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Next in thread: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Reply: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 9 Nov 2004 15:42:34 -0600
How about this for a little convincing then.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html
Also Known As : W32/Mydoom.ag@MM [McAfee], WORM_MYDOOM.AG [Trend Micro], W32/Bofra-A [Sophos], MyDoom.AG [F-Secure], Win32.Mydoom.AF [Computer Associates], I-Worm.Mydoom.ad [Kaspersky]
Systems Affected : Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
And as mentioned in Pa Bears post, you must click on the hyperlink to execute the virus, unless I'm mis-interpreting it.
The email contains a hyperlink that, when clicked on, takes the user to an .html page that exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). When this page is viewed the file http://[remote address]:1639/reactor is downloaded as %Desktop\vv.dat to the infected computer and executed. This file is detected as W32.Mydoom.AH@mm.
-- Brian A. Conflicts start where information lacks. http://www.dts-l.org/goodpost.htm "PCR" <pcrrcp@netzero.net> wrote in message news:es4Sy8gxEHA.3212@TK2MSFTNGP09.phx.gbl... > It hasn't been confirmed for us (Win98) yet, PA. > > Internet Explorer IFRAME Buffer Overflow Vulnerability > http://secunia.com/advisories/12959/ > .....Quote................ > The vulnerability has been confirmed in the following versions: > * Internet Explorer 6.0 on Windows XP SP1 (fully patched). > * Internet Explorer 6.0 on Windows 2000 (fully patched). > ....EOQ................... > > Anyway, I see nothing in Sent Items over the last few days that I > haven't personally sent! > > > -- > Thanks or Good Luck, > There may be humor in this post, and, > Naturally, you will not sue, > should things get worse after this, > PCR > pcrrcp@netzero.net > "PA Bear" <PABear@mvps.org> wrote in message > news:u7fnQTexEHA.1260@TK2MSFTNGP12.phx.gbl... > | From: http://forums.mcafeehelp.com/viewtopic.php?t=34893 > | > | <quote> > | This brand new version of MyDoom is HTML based and does not contain > | attachments. It also exploits a critical IE vulnerability, so AV > protection > | plus best practices are needed -- as this one has some potential. > | > | W32/Mydoom.ag@MM - Zero Day IE I-FRAME Attack > | http://secunia.com/virus_information/13213/mydoom.ag/ > | http://vil.nai.com/vil/content/v_129630.htm > | > | This W32/Mydoom@MM variant makes use of a zero day attack targeting a > | Microsoft Internet Explorer IFRAME buffer overflow vulnerability. The > virus > | spreads by sending email messages to addresses found on the local > system. > | The message appears as follows: > | > | From: Spoofed address > | Subject: may vary > | > | * funny photos :) > | * hello > | * hey! > | * blank > | > | There is no attachment to the message. The homepage hyperlink points > to the > | infected system which sent the email message. Clicking on the link, > accesses > | a web server running on the compromised system. The web server serves > HTML > | that contains IFRAME buffer overflow code to automatically execute the > | virus. > | </quote> > | -- > | ~Robear Dyer (PA Bear) > | MS MVP-Windows (IE/OE) > | > >
- Next message: Harry Ohrn: "Re: Norton Ghost (Off Topic)"
- Previous message: Malke: "Re: XP and FireFox"
- In reply to: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Next in thread: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Reply: PCR: "Re: W32/Mydoom.ag@MM - Heads Up!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
