Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

From: pachiderme pachiderme <pachiderme () gmail com>
Date: Tue, 9 Nov 2004 14:52:40 +0100
I just read this news about the first implementation :

F-Secure Virus Descriptions : MyDoom.AG

This Mydoom variant is considerably different from previous Mydooms.
In fact, it might not be a variant at all, but a totally new virus
family.

It does spread over email, like Mydooms normally do. However, this new
variant do not send attachments at all; instead they send emails with
links to a website. There are several different emails.

Interestingly, the link points to a website which is actually running
on the infected machine that sent the email in the first place. The
worm accomplishes this by installing a small web server on port 1639
on each infected machine. This technique is a bit similar to what for
example Blaster worm does to transfer itself to each infected machine;
instead of using a central download server it turns each infected
machine to one.

Even more interestingly, the web page uses a brand new IFRAME
vulnerability in Internet Explorer to infect the computer. There's no
patch for Windows 2000 or XP SP1 yet. Windows XP SP2 is not vulnerable

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: