The MyDoom worm saga continued today with the release of yet another variant of the noxious email worm. The latest variant - MyDoom-S (http://www.viruslist.com/eng/viruslist.html?id=2047992) (AKA MyDoom-Q or MyDoom-R) - poses as a funny photographs in order to dupe users into opening an infectious attachment called photos_arc.exe.

MyDoom-S runs when a Windoze user (Linux or Mac users are immune) clicks on this malicious attachment. Thereafter the worm mass-mails itself to email addresses harvested from the infected machine with the subject line "photos" and message body "LOL!;))))". Like other variants of MyDoom, MyDoom-S also tries to download a backdoor Trojan (in this case Surila-G) from one of a number of websites onto infected PCs. The Trojan allows infected machines to be controlled remotely by attackers in order to send spam, for example.

Finnish AV firm F-Secure reckons virus writers bulk-mailed copies of MyDoom-S from machines infected by earlier versions of the worm in an effort to give their latest creation a kick-start.

In an advisory, F-Secure states: "The source addresses of the spams appear to be from DSL and cable modem pools, suggesting that the MyDoom gang is using a botnet created with earlier MyDoom variants to send this one out. They've also carefully checked that none of the common antiviruses detect this new variant. The worm contains a backdoor. System administrators may also want to block access to domains www.richcolour.com and zenandjuice.com from their network for a while. This variant tries to download components from these addresses but the sites themselves have nothing to do with the virus group."

MyDoom-S began spreading (fairly extensively) today. Most AV vendors rate MyDoom-S as a medium risk threat. MyDoom-S is programmed to stop spreading on 20 August 2004 but the backdoor does not have an expiration date. ®

Related stories

Latest MyDoom hunts victims via Yahoo! (http://www.theregister.co.uk/2004/08/04/mydoom_targets_yahoo/)
We're all MyDoomed (http://www.theregister.co.uk/2004/07/27/google_bashing_virus/)
Microsoft attack worm rides on the back of MyDoom (http://www.theregister.co.uk/2004/07/28/ms_worm_uses_mydoom/)
Google goes gimpy from MyDoom infection (http://www.theregister.co.uk/2004/07/26/google_mydoom_infection/)
Zombie PCs spew out 80% of spam (http://www.theregister.co.uk/2004/06/04/trojan_spam_study/)
Phatbot arrest throws open trade in zombie PCs (http://www.theregister.co.uk/2004/05/12/phatbot_zombie_trade/)
MyDoom and Netsky cause chaos (http://www.theregister.co.uk/2004/02/27/mydoom_and_netsky_cause_chaos/)
MyDoom is the worst virus ever (http://www.theregister.co.uk/2004/01/28/mydoom_is_the_worst_virus/)