Security experts today increased the risk assessment assigned to the recently discovered W32/[email protected] worm, also known as Mydoom.ah.
According to McAfee's Avert antivirus research team, the latest Mydoom mutant is a mass-mailing worm that makes use of a previously undocumented attack method to target a Microsoft Internet Explorer Iframe buffer overflow vulnerability.
Infectious messages sent by Mydoom.ah do not contain an attachment, but rather a hyperlink directing people to an infected machine.
Following the hyperlink results in an infection occurring on the target victim's system if they are running a vulnerable Internet Explorer browser.
"To date, McAfee Avert has received close to 100 reports of the virus being stopped or infecting users from the field, from both the virus itself as well as customer submissions. Most of these reports have arrived from the US," the security firm warned.
Mydoom.ah contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the 'From' field to send itself. This produces a message with a spoofed 'From' address.
Clicking on the hyperlink accesses a web server running on the compromised system. The web server serves HTML that contains Iframe buffer overflow code to automatically execute the virus.
Users should be very wary and should most likely delete any email containing the following:
[Address is spoofed and may be '[email protected]' when sending the PayPal message body below.]
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal.
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
After being executed, Mydoom.ah copies itself into the Windows System directory with a random filename that ends in '32.exe'. A registry run key is created to load the virus at system startup.
Mydoom.ah will then start Internet Explorer listening on TCP port 1639, the port on which the infected web server runs.
More information on Mydoom.ah and the cure for this worm can be found at the McAfee Avert website here.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago