Signature Detail

TROJAN: MyDoom.AH HTTP Infection

This signature detects MyDoom.AH/Bofra.B and similar variants attempting to infect a new host using the Internet Explorer IFRAME name overflow vulnerability. MyDoom.AH runs a Web server on port 1639; when a client connects and requests a page, MyDoom.AH sends the malicious payload to the host.

Extended Description

Microsoft Internet Explorer is reported prone to a remote buffer overflow vulnerability. This issue presents itself due to insufficient boundary checks performed by the application and results in arbitrary code execution or a denial of service. This issue does not affect the following Internet Explorer 6 versions: - Internet Explorer 6 for Windows Server 2003 - Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003 - Internet Explorer 6 for Windows XP Service Pack 2

Affected Products

• Avaya DefinityOne Media Servers R10
• Avaya DefinityOne Media Servers R11
• Avaya DefinityOne Media Servers R12
• Avaya DefinityOne Media Servers R6
• Avaya DefinityOne Media Servers R7
• Avaya DefinityOne Media Servers R8
• Avaya DefinityOne Media Servers R9
• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers R10
• Avaya IP600 Media Servers R11
• Avaya IP600 Media Servers R12
• Avaya IP600 Media Servers R6
• Avaya IP600 Media Servers R7
• Avaya IP600 Media Servers R8
• Avaya IP600 Media Servers R9
• Avaya IP600 Media Servers
• Avaya Modular Messaging S3400
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers R10
• Avaya S8100 Media Servers R11
• Avaya S8100 Media Servers R12
• Avaya S8100 Media Servers R6
• Avaya S8100 Media Servers R7
• Avaya S8100 Media Servers R8
• Avaya S8100 Media Servers R9
• Avaya S8100 Media Servers
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1

References

• BugTraq: 11515
• CVE: CVE-2004-1050
• URL: http://vil.nai.com/vil/content/v_129631.htm
• URL: http://www.cert.org/incident_notes/IN-2004-01.html