Weekly Virus Report – IFRAME.BoF Exploit, Mydoom.AE, Mydoom.AF and Gavir.A Worms

This week’s report on viruses and intruders looks at the IFRAME.BoF exploit, as well as the Mydoom.AE, Mydoom.AF and Gavir.A worms.

IFRAME.BoF is an exploit for a buffer overrun vulnerability that occurs in Internet Explorer v6.0 and allows an attacker to remotely execute arbitrary code on the vulnerable computer. This vulnerability is rated as extremely critical.

The exploit can be included in a malicious web page or in an email message in HTML format, which contain executable code. This executable code is automatically run when a buffer overflow occurs. The executable code can be of any kind, which means that any kind of malicious action can be taken on affected computers.

As no patch is yet available to resolve the problem, it is advisable to keep antivirus software as up-to-date as possible. It is also a good idea to disable ‘Active Scripting’ in the browser and change the configuration of the email client so that messages are viewed as plain text.

In fact, the new AE and AF variants of the well-known Mydoom already use the IFRAME.BoF exploit. Both worms -which are similar to each other- spread via email in messages that they generate themselves. To do this they create an HTTP server in communications port 1639.

The messages that Mydoom.AE and Mydoom.AF send include a link to files that contain the IFRAME.BoF exploit in other computers. If the user that receives the email clicks directly on the link and the computer is vulnerable to the exploit, the worms will be downloaded and run automatically on the computer.

Mydoom.AE and Mydoom.AF also try to establish connection with a large number of IRC servers via port 6667.

Finally, Gavir.A is a worm with the exclusive aim of downloading a variant of the Legmir family of Trojans. Gavir.A spreads across shared network resources, creating copies of itself in IPC$ and ADMIN$ resources that it accesses.

Gavir.A also generates a script in a temporary folder in order to delete itself once it has been run.




Share this