Risk: Medium
A new version of MyDoom uses an unpatched flaw in Microsoft's Internet Explorer to spread, antivirus companies have warned its customers and the community.
The recently discovered vulnerability in the browser software allows the offshoot to infect a PC after a user clicks on a link, according to advisories from security software makers Symantec and McAfee. The program sneaks past antivirus applications that detect malicious software by scanning email messages with attached programs.
The companies said they had only detected a few instances of the infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by Symantec.
It's not the first time a code writer has exploited a flaw in a Microsoft product before the software giant has had a chance to plug the hole. An aggressive advertiser attempted to surreptitiously install a pop-up toolbar in victim's web browsers using two previously unpatched security flaws in Internet Explorer.
Microsoft said that it was investigating the flaw and was aware of a new virus exploiting the issue.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," said Microsoft in a statement. "In addition, we continue to encourage customers to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing anti-virus software."
The latest MyDoom virus appears as an email in the inbox. The body of the message states: "Look at my homepage with my last webcam photos!" or "FREE ADULT VIDEO! SIGN UP NOW!" Both messages have text that links them to a web page generated by the virus and hosted on the infected computer that sent the email.
When the victim clicks on the link, a Windows-based PC will call Internet Explorer and load a malicious web page from the previously infected computer. The page contains the iFrame vulnerability recently publicised on security mailing lists. The virus uses the flaw to execute code on the victim's computer, infecting the system. The virus harvests email addresses on the compromised system, sends out mail to spread the virus further, sets up a web server and attempts to contact several Internet relay chat (IRC) servers as a way to notify the virus's creator that a new system has been compromised.
The fact that the virus creates a web server and uses that server to infect other systems is a significant departure from previous versions of MyDoom, and other viruses in general, Schmugar said.
Both companies have stated that a "decent amount of work" went into writing the infector code, however it seems to have been created using proof-of-concept code that was released into the public domain.