PureBytes Links
Trading Reference Links
|
THREAT ADVISORY: McAfee Avert Raises Risk Assessment to Medium on New
W32/Mydoom.ah@xx Virus
McAfee AVERT Discovers New Mydoom Virus In-the-Wild
BEAVERTON, Ore., Nov. 9 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE:
MFE)
the leading provider of intrusion prevention solutions, today announced that
McAfee(R) AVERT(TM) (Anti-virus and Vulnerability Emergency Response Team),
the world-class research division of McAfee, Inc., raised the risk
assessment
to Medium on the recently discovered W32/Mydoom.ah@xx worm, also known as
Mydoom.ah. This new variant is a mass-mailing worm that makes use of a new
attack targeting a Microsoft Internet Explorer IFRAME buffer overflow
vulnerability. Infectious messages sent by Mydoom.ah do not contain an
attachment, but rather a hyperlink directing people to an infected machine.
Following the hyperlink results in an infection occurring on the target
victim's system, if they are running a vulnerable Microsoft Internet
Explorer
Web browser.
To date, McAfee AVERT has received close to 100 reports of the virus
being
stopped or infecting users from the field, from both the virus itself as
well
as customer submissions. Most of these reports have arrived from the United
States.
Threat Overview
Mydoom.ah is a mass mailing threat that contains its own SMTP engine to
construct outgoing messages. It harvests addresses from local files and then
uses the harvested addresses in the 'From' field to send itself. This
produces
a message with a spoofed From address. Unlike many of the other Mydoom
variants, there is no attachment to the message. The homepage or link
hyperlink points to the infected system that sent the email message.
Clicking
on the link, accesses a Web server running on the compromised system. The
Web
server serves HTML that contains IFRAME buffer overflow code to
automatically
execute the virus. Users should be very wary and should most likely delete
any
email containing the following:
From: (address is spoofed and may be exchange-robot@xxxxxxxxxx when
sending the PayPal message body below)
Subject:
-- hi!
-- hey!
-- Confirmation
-- blank
Message Body: The message body will be one of the following:
Congratulations! PayPal has successfully charged $175 to your credit
card.
Your order tracking number is A866DEC0, and your item will be shipped within
three business days.
To see details please click this link .
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
-or-
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Threat Pathology
After being executed, Mydoom.ah copies itself into the Windows System
directory with a random filename that ends in 32.exe. A registry run key is
created to load the virus at system startup, such as:
-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Reactor3" = C:\WINDOWS\System32\heztiv32.exe
Other registry keys are also created:
-- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComExplore
-- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\ComExplore\Version
-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\ComExplore
-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\ComExplore\Version
Mydoom.ah will show Windows Explorer listening on TCP Port 1639, the
port
the web server runs on.
System Protection and Cure
More information on Mydoom.ah and the cure for this worm can be found
online at the McAfee AVERT site located at
http://vil.nai.com/vil/content/v_129631.htm . McAfee AVERT is advising its
customers to update to the 4405 DATs to stay protected.
McAfee(R) Entercept(R), by default, protects against code execution that
may result from exploitation of the IFRAME buffer overflow vulnerability.
This
protection functions regardless of whether the latest McAfee Entercept
security content has been deployed.
McAfee(R) VirusScan(R) Enterprise 8.0i buffer overflow protection
protects
systems from this threat, by preventing the code execution that occurs
during
a W32/Mydoom.ah@xx buffer overflow infection.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability
research organizations in the world, employing researchers in thirteen
countries on five continents. McAfee AVERT combines world-class malicious
code
and anti-virus research with intrusion prevention and vulnerability research
expertise from the McAfee(R) IntruShield(R) and McAfee(R) Entercept(R)
organizations, two research arms that were acquired through IntruVert
Networks
and Entercept Security. McAfee AVERT protects customers by providing cures
that are developed through the combined efforts of McAfee AVERT researchers
and McAfee AVERT AutoImmune technology, which applies advanced heuristics,
generic detection, and ActiveDAT technology to generate cures for previously
undiscovered viruses.
About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, Calif., creates
best-of-breed
intrusion prevention and risk management solutions. McAfee's market-leading
security products and services help large, medium and small businesses,
government agencies, and consumers prevent intrusions on networks and
protect
computer systems from critical threats. Additionally, through the Foundstone
Professional Services division, leading security consultants provide
security
expertise and best practices for organizations. For more information,
McAfee,
Inc. can be reached at 972-963-8000 or on the Internet at
http://www.mcafee.com/ .
NOTE: McAfee, IntruShield, Entercept VirusScan and AVERT are either
registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in
the United States and/or other countries. The color red in connection with
security is distinctive of McAfee brand products. All other registered and
unregistered trademarks herein are the sole property of their respective
owners
SOURCE McAfee, Inc.
Photo Notes: NewsCom:
http://www.newscom.com/cgi-bin/prnh/20040426/MCAFEELOGO AP
Archive: http://photoarchive.ap.org PRN Photo Desk,
photodesk@xxxxxxxxxxxxxx
Web Site: http://www.mcafee.com/
----------------------------------------------------------------------------
----
More news from PR Newswire...
Issuers of news releases and not PR Newswire are solely responsible for the
accuracy of the content.
Terms and conditions, including restrictions on redistribution, apply.
Copyright © 1996-2004 PR Newswire Association LLC. All Rights Reserved.
A United Business Media company.
|