A new version of the MyDoom worm appears to be circulating on the Internet and may be responsible for some disruptions to Microsoft Corp.'s Web site Sunday night and Monday morning, researchers say. When it's executed, the new variant, called MyDoom.C, begins scanning for machines listening on TCP port 3127. When it finds available PCs, it copies itself to the new machine's Windows directory under the file name "internat.exe" and also creates a file named "sync-src-1.00.tbz" in several locations.
But unlike the two previous versions of MyDoom, this third variant does not spread via e-mail, nor does it install a backdoor on infected machines or have a kill date, according to an analysis done by Ken Dunham, malicious code manager for iDefense Inc., based in Reston, Va. The worm's code is not encrypted, but it contains all of the source code for MyDoom.A.
News source: eWeek