mailing list archives
Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: pachiderme pachiderme <pachiderme () gmail com>
Date: Tue, 9 Nov 2004 14:52:40 +0100
I just read this news about the first implementation :
F-Secure Virus Descriptions : MyDoom.AG
This Mydoom variant is considerably different from previous Mydooms.
In fact, it might not be a variant at all, but a totally new virus
It does spread over email, like Mydooms normally do. However, this new
variant do not send attachments at all; instead they send emails with
links to a website. There are several different emails.
Interestingly, the link points to a website which is actually running
on the infected machine that sent the email in the first place. The
worm accomplishes this by installing a small web server on port 1639
on each infected machine. This technique is a bit similar to what for
example Blaster worm does to transfer itself to each infected machine;
instead of using a central download server it turns each infected
machine to one.
Even more interestingly, the web page uses a brand new IFRAME
vulnerability in Internet Explorer to infect the computer. There's no
patch for Windows 2000 or XP SP1 yet. Windows XP SP2 is not vulnerable
Full-Disclosure - We believe in it.