Risk: Medium
The MyDoom worm saga continued in August with the release of yet another variant of the noxious email worm. The latest variant - MyDoom-S (AKA MyDoom-Q or MyDoom-R) - poses as funny photographs in order to dupe users into opening an infectious attachment called photos_arc.exe.
MyDoom-S runs when a Windows user (Linux or Mac users are immune) clicks on this malicious attachment. Thereafter the worm mass-mails itself to email addresses harvested from the infected machine with the subject line "photos" and message body "LOL!;))))". Like other variants of MyDoom, MyDoom-S also tries to download a backdoor Trojan (in this case Surila-G) from one of a number of web sites onto infected PCs. The Trojan allows infected machines to be controlled remotely by attackers in order to send spam, for example.
Finnish AV firm F-Secure reckons virus writers bulk-mailed copies of MyDoom-S from machines infected by earlier versions of the worm in an effort to give their latest creation a kick-start.
In an advisory, F-Secure states: "The source addresses of the spams appear to be from DSL and cable modem pools, suggesting that the MyDoom gang is using a botnet created with earlier MyDoom variants to send this one out. They've also carefully checked that none of the common antiviruses detect this new variant. The worm contains a backdoor. System administrators may also want to block access to domains www.richcolour.com and zenandjuice.com from their network for a while. This variant tries to download components from these addresses but the sites themselves have nothing to do with the virus group."
Most AV vendors rate MyDoom-S as a medium-risk threat. MyDoom-S is programmed to stop spreading on 20 August 2004, but the backdoor does not have an expiration date.