Security firms are warning of a new e-mail worm that began infecting computers just days after the vulnerability it exploits in the Internet Explorer (IE) browser was made public.
The worm, which some information security experts say is a variation of the MyDoom virus that ravaged the Web earlier this year, is spread through e-mail but does not rely on getting users to open attachments, as past worms have, according to antivirus firm McAfee.
Instead, it uses promises of payments or suggestions of unauthorized credit card use to get users to click links that connect users to an infected machine and spread the worm. Other versions use promise of a Webcam site or similar enticements. Once a machine is infected, the program harvests e-mail addresses and sends out versions of itself.
Spreads Through Links
While most security firms have labeled the threat of the worm in the medium range, it is significant because of how quickly it was developed, Graham Cluley, technology consultant with Sophos antivirus, said.
“This is one of the fastest turnarounds of vulnerability discovery to full-blown worm that we have ever seen,” Cluley said. The flaw, which he called “serious,” was found just last week and no patch was available as of today.
Sophos has dubbed the worm “Bofra” and Cluley said it cannot properly be considered a MyDoom variant because it relies on links to spread, rather than attachments.
In a bulletin, Microsoft called the worm a version of MyDoom and said XP users who have installed Service Pack 2 were at “reduced risk.” It did not give a timeline for providing a specific patch.
Security firms said the specific vulnerability was discovered and made public on Friday in Web postings by hackers going by the aliases of “ned” and “SkyLined.” Later that day, security firm Secunia and the U.S. CERT had posted warnings about the flaw.
Symantec said today it had logged about 40 reports of two variations on the MyDoom virus and said it expects the spread rate to remain relatively low because of the design of the worm.
McAfee said that so far it has received about 100 reports of the virus in the wild. It boosted its risk rating on the Mydoom virus to medium.
F-Secure director of antivirus research Mikko Hypponen said a patch for the I-Frames vulnerability that enables the attack did not appear to be part of Microsoft’s latest monthly patch release. He said the new worm seemed to borrow parts of the MyDoom shell but also some of the techniques used to spread the Blaster worm, which spread itself not from a central location but from infected machine to target machine.
He said F-Secure had yet to see widespread infection reports as well, but said the worms are significant for the security industry because of how fast they appeared.
“These viruses are one of the fastest ever to take advantage of a new security vulnerability,” he added.