Risk rating raised on latest Mydoom variant

Security experts today increased the risk assessment assigned to the recently discovered W32/Mydoom.ah@MM worm, also known as Mydoom.ah.

According to McAfee's Avert antivirus research team, the latest Mydoom mutant is a mass-mailing worm that makes use of a previously undocumented attack method to target a Microsoft Internet Explorer Iframe buffer overflow vulnerability.

Infectious messages sent by Mydoom.ah do not contain an attachment, but rather a hyperlink directing people to an infected machine.

Following the hyperlink results in an infection occurring on the target victim's system if they are running a vulnerable Internet Explorer browser.

"To date, McAfee Avert has received close to 100 reports of the virus being stopped or infecting users from the field, from both the virus itself as well as customer submissions. Most of these reports have arrived from the US," the security firm warned.

Mydoom.ah contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the 'From' field to send itself. This produces a message with a spoofed 'From' address.

Clicking on the hyperlink accesses a web server running on the compromised system. The web server serves HTML that contains Iframe buffer overflow code to automatically execute the virus.

Users should be very wary and should most likely delete any email containing the following:

From:
[Address is spoofed and may be 'exchange-robot@paypal.com' when sending the PayPal message body below.]

Subject:
hi!
hey!
Confirmation
[blank]

Message Body:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.

OR

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

After being executed, Mydoom.ah copies itself into the Windows System directory with a random filename that ends in '32.exe'. A registry run key is created to load the virus at system startup.

Mydoom.ah will then start Internet Explorer listening on TCP port 1639, the port on which the infected web server runs.

More information on Mydoom.ah and the cure for this worm can be found at the McAfee Avert website here.