[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <bd4106a704110905525e2511c6@mail.gmail.com>
From: pachiderme at gmail.com (pachiderme pachiderme)
Subject: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
I just read this news about the first implementation :
F-Secure Virus Descriptions : MyDoom.AG
This Mydoom variant is considerably different from previous Mydooms.
In fact, it might not be a variant at all, but a totally new virus
family.
It does spread over email, like Mydooms normally do. However, this new
variant do not send attachments at all; instead they send emails with
links to a website. There are several different emails.
Interestingly, the link points to a website which is actually running
on the infected machine that sent the email in the first place. The
worm accomplishes this by installing a small web server on port 1639
on each infected machine. This technique is a bit similar to what for
example Blaster worm does to transfer itself to each infected machine;
instead of using a central download server it turns each infected
machine to one.
Even more interestingly, the web page uses a brand new IFRAME
vulnerability in Internet Explorer to infect the computer. There's no
patch for Windows 2000 or XP SP1 yet. Windows XP SP2 is not vulnerable
Powered by blists - more mailing lists