New MyDoom Variant uses unpatched exploit, Phishing tip, AV False Positive, Virus Naming

Published: 2004-11-08
Last Updated: 2004-11-09 04:02:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Reminder: Webcast this Wednesday. Details:
New MyDoom Variant uses IFRAME exploit

We received several reports of a new MyDoom variant making the rounds.
McAfee lables it 'MyDoom.AG' and 'MyDoom.AH'. This virus claims to contain a link to pornographic images. The web page this link refers to will use the so far unpatched 'IFRAME' vulnerability to infect the target computer. The
target system itself will become a web server for the malicious code.

Another version of the email claims to come from Paypal.

A couple other observations so far:

+ The web server listens on a high port (so far, it is reported in the
1600-1700 range. Seems to vary from machine to machine

+ The e-mail includes fake headers that identify the e-mail as anti-virus scanned (and found harmless)
The email itself does not appear to include any malicious code. Many anti-spam filter may catch it due to it's content. The malicious code is launched once the user clicks on the URL and connects to the remote server with a vulnerable version of Internet Explorer.
selected user reports about this virus:


We have been hit with the Paypal version of this exploit and I can tell you that the current version of Trend doesn't detect it at all.
Below is the text of the message:

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this 'link'
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

My experience showed that the infected PC establishes a TCP 6667 connection with several IPs and sends a continual barrage of smtp messages outbound to public sites. The infected system showed a vv.bat file on the desktop which was also running as a process.


Phishing tip

Quick note to all webmasters out there: One was to make it harder for
people to impersonate your site is to personalize it for your users.

First time the user logs in, set a cookie with a simple personal, but
non-confidential string (e.g. user's first name). Next time the user
comes back, great them with this string before they log in.

If you want to do it fancy, allow the user to set the string (but
validate it ;-) ).

A phishing site will not be able to read the cookie containing the
string if you limit it to your domain. As a result, the user will not see
the greeting string and maybe get tipped off that the site is fake.

Diary flagged as Virus

We did receive a couple of reports that part two of Tom Liston's "follow
the bouncing malware" story was flagged as containing malicious code.

We can assure everyone that the diary does not include any malicious code.
However, some of the strings quoted are from actual malware, and some
AV scanners happen to use these strings as part of their signatures.

Trust us!

Virus Naming

On Friday, we published an open letter to Anti-Virus Software companies.
(see: ). The letter was
contributed by our reader Chris Mosby.

I would like to take the opportunity to comment on the ongoing problem of "Virus Babel" and respond to a couple points raised in the letter.

In my opinion, one problem is the large number of very similar malware
released in rapid sequence. For example, according to Symantec, today
version 'BQJ' of Gaobot was spotted, which gets us to about 1800
(1804 if my math is right). The first version of Gaobot was released a bit over a year ago.

For malware analysts, analyzing minute differences between different versions my provide a unique insight into the bot/virus scene. However, for the anti-virus software user, it doesn't matter if the AV software caught Gaobot.AAA or .AAB, as long as it successfully detected and disposed of the malware before it could do any damage.

In this sense, I would suggest that anti virus software will become smarted in identifying variations of known malware, in particular if the variation has been generated by automated packers or obfuscater.

BTW: We do not have any plans to become a 'Virus Name Clearing House' as suggested in the letter. It may be fun to do, but we just don't have the resources.

(great spot to discuss this issue: our mailing list, ).

Country Reports

yes. they are broken. Will be back shortly... Mike H.: Next time please include your e-mail address if you want a response ;-).


Johannes Ullrich, jullrich'at;sans&org

CTO SANS Internet Storm Center.

0 comment(s)


Diary Archives