TROJAN: MyDoom.AH HTTP Infection
This signature detects MyDoom.AH/Bofra.B and similar variants attempting to infect a new host using the Internet Explorer IFRAME name overflow vulnerability. MyDoom.AH runs a Web server on port 1639; when a client connects and requests a page, MyDoom.AH sends the malicious payload to the host.
Extended Description
Microsoft Internet Explorer is reported prone to a remote buffer overflow vulnerability. This issue presents itself due to insufficient boundary checks performed by the application and results in arbitrary code execution or a denial of service. This issue does not affect the following Internet Explorer 6 versions: - Internet Explorer 6 for Windows Server 2003 - Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003 - Internet Explorer 6 for Windows XP Service Pack 2
Affected Products
Avaya s8100_media_servers,Avaya modular_messaging
References
BugTraq: 11515
CVE: CVE-2004-1050
URL: http://vil.nai.com/vil/content/v_129631.htm http://www.cert.org/incident_notes/IN-2004-01.html
Short Name
TROJAN:MYDOOM:AH-HTTP-INFECT
Severity
Major
Recommended
False
Recommended Action
Drop
Category
TROJAN
Keywords
CVE-2004-1050 HTTP Infection MyDoom.AH bid:11515
Release Date
11/11/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
Port
TCP/1639-1645
False Positive
Unknown
Vendors
Avaya
Microsoft
CVSS Score
10.0