The MyDoom worm saga continued today with the release of yet another variant of the noxious email worm. The latest variant - MyDoom-S [1] (AKA MyDoom-Q or MyDoom-R) - poses as a funny photographs in order to dupe users into opening an infectious attachment called photos_arc.exe.

MyDoom-S runs when a Windoze user (Linux or Mac users are immune) clicks on this malicious attachment. Thereafter the worm mass-mails itself to email addresses harvested from the infected machine with the subject line "photos" and message body "LOL!;))))". Like other variants of MyDoom, MyDoom-S also tries to download a backdoor Trojan (in this case Surila-G) from one of a number of websites onto infected PCs. The Trojan allows infected machines to be controlled remotely by attackers in order to send spam, for example.

Finnish AV firm F-Secure reckons virus writers bulk-mailed copies of MyDoom-S from machines infected by earlier versions of the worm in an effort to give their latest creation a kick-start.

In an advisory, F-Secure states: "The source addresses of the spams appear to be from DSL and cable modem pools, suggesting that the MyDoom gang is using a botnet created with earlier MyDoom variants to send this one out. They've also carefully checked that none of the common antiviruses detect this new variant. The worm contains a backdoor. System administrators may also want to block access to domains www.richcolour.com and zenandjuice.com from their network for a while. This variant tries to download components from these addresses but the sites themselves have nothing to do with the virus group."

MyDoom-S began spreading (fairly extensively) today. Most AV vendors rate MyDoom-S as a medium risk threat. MyDoom-S is programmed to stop spreading on 20 August 2004 but the backdoor does not have an expiration date. ®

Related stories

Latest MyDoom hunts victims via Yahoo! [2]
We're all MyDoomed [3]
Microsoft attack worm rides on the back of MyDoom [4]
Google goes gimpy from MyDoom infection [5]
Zombie PCs spew out 80% of spam [6]
Phatbot arrest throws open trade in zombie PCs [7]
MyDoom and Netsky cause chaos [8]
MyDoom is the worst virus ever [9]

Links

1. http://www.viruslist.com/eng/viruslist.html?id=2047992
2. http://www.theregister.co.uk/2004/08/04/mydoom_targets_yahoo/
3. http://www.theregister.co.uk/2004/07/27/google_bashing_virus/
4. http://www.theregister.co.uk/2004/07/28/ms_worm_uses_mydoom/
5. http://www.theregister.co.uk/2004/07/26/google_mydoom_infection/
6. http://www.theregister.co.uk/2004/06/04/trojan_spam_study/
7. http://www.theregister.co.uk/2004/05/12/phatbot_zombie_trade/
8. http://www.theregister.co.uk/2004/02/27/mydoom_and_netsky_cause_chaos/
9. http://www.theregister.co.uk/2004/01/28/mydoom_is_the_worst_virus/