For what it's worth, I don't have the Declude Virus product. The Declude Virus product may catch the IFRAME technique in HTML, but you won't see this technique in HTML, which is why Dave probably thought it was a useful heads-up in the antispam forum.
I can add to Dave's description: Trend Micro was detecting both variants early, and calls them MYDOOM.AG and MYDOOM.AH; I've only seen the .AH variety, and less than 20 of those. I think we'll be seeing more of this technique, but perhaps not these particular variants. Both of these viruses can be caught with a BODY text filter, but all you see is a URL. You can check the links Dave wrote up for details of the virus message text and fake headers, but I'll note that each variant uses a link like this (remove the spaces): h t t p : / / [ip address] : 1639 / [filename] h t t p : / / [ip address] : 1640 / [filename] Because it uses a predictable port on which to contact an existing trojan infectee, I coded the colon + port number plus slash with a moderate weight (minus the spaces). I haven't correlated the REMOTEIP with the IP address in the URL. You can readily see that the next flavour could easily use port 80 or 443 to evade content filtering, or it could track a random port and filename, seeing as how it must already be storing addresses, it could easily be storing ports and filenames too. Dave also mentioned that you should keep your Windows up to date. Only the Internet Explorer in Windows XP SP2 is not vulnerable to this. Even Windows Server 2003 is vulnerable. Microsoft didn't patch this hole yesterday, which was "Microsoft Patch Day". Andrew 8) -----Original Message----- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 12:34 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New virus with unusual deployment Doesn't the newer versions of Declude Virus catch the IFRAME vulnerability? Isn't this a post for the virus list? John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Dave Doherty > Sent: Tuesday, November 09, 2004 9:36 PM > To: Undisclosed-Recipient:; > Subject: [Declude.JunkMail] New virus with unusual deployment > > Hi, all - > > "Heads up!" > > There is a new variant of the MyDoom virus that does not work in the > usual way. > > Previous MyDoom virii have attached the virus payload to an email > message. The new variants (AH and AI, so far) simply include links to > infected machines. The links exploit the Internet Explorer IFRAME > vulnerability and then worm their way into address books, install SMTP > servers and self-start > registry entries, and generally make nuisances of themselves by > sending emails to your contacts encouraging them to click links back > to your machines. > > Since the email does not contain the payload, the virus cannot be > caught at > the email level. Therefore, be especially careful that your firewalls > and antivirus programs have the definitions for the new variants and > that all machines on your systems have the very latest patches from > http://windowsupdate.microsoft.com. > > As of this writing, Symantec has published defintions for the AH and > AI variants. McAfee has published only the AH variant. Fortinet and > Sophos have > published these variants under the name bofra-a and bofra-b > > More info is at > > http://www.integratedmar.com/connectit/stories/1319.cfm > http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > http://www.sophos.com/virusinfo/analyses/w32bofrab.html > > -Dave Doherty > Dataworld, Inc. > Skywaves, Inc. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
