New versions of a worm resembling MyDoom began spreading Monday afternoon, just days after security firms reported a new bug in Microsoft's Internet Explorer Web browser.
The worms spread via an e-mailed link that touts an Adult webcam site or claims a $175 PayPal credit awaits the recipient.
Anti-virus software maker McAfee has dubbed the worms MyDoom.ag and MyDoom.ah. They infect machines by using the IE vulnerability IFRAME, named after the HTML tag that can cause a buffer overflow. There is currently no patch available.
“We’re not surprised to see [the new My Doom worms],” Alfred Huger, senior director of engineering for Symantec’s security response team, told TechWeb, “since it’s really simple to exploit this vulnerability.
“It's not quite a zero-day exploit, but it’s close,” he said.
As of Tuesday, the worms had affected only a modest number of machines and McAfee virus researchers said the problem probably wouldn’t get much bigger.
The McAfee Web site reported the MyDoom.ah threat at medium, while MyDoom.ag was low-profiled, Tuesday afternoon.
Since the exploit code for the IFRAME vulnerability is publicly available, hackers can quickly add it to MyDoom code. Since there is no patch, experts expect several new codes exploiting the hole to emerge in the coming weeks.
“As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources,” Microsoft said in a statement. “In addition, we continue to encourage customers follow our ‘Protect Your PC’ guidance of enabling a firewall, getting software updates and installing anti-virus software.”
Although, they have been labeled MyDoom, the worms actually behave somewhat different than previous variations.
Rather than including their payload in an attached file as previous MyDoom versions did, these include a Web site link in the transmitting message. The link takes the user to a previously-compromised PC, where a Web server uploads the worm to the new system. The newly-infected machine then launches emails with the malicious link all over again.
This is not the first time a hacker has exploited a flaw in a Microsoft product before the company has had a chance to remedy it. In June, a coder tried to install adware in IE using two previously unpatched security flaws.
The Windows XP Service Pack 2 edition of Internet Explorer doesn’t contain the IFRAME vulnerability, so XP users can prevent infection by updating to SP2. Or, PC users can do what thousands have already discovered and switch to another browser.
