MyDoom.C Slams Into Microsoft.com:
"UPDATED: A stripped-down version of the MyDoom worm, a k a Doomjuice, on Monday spread through network backdoor and attacked Microsoft's Web site.

A new version of the MyDoom worm appears to be circulating on the Internet and may be responsible for some disruptions to Microsoft Corp.'s Web site Sunday night and Monday morning, researchers said.

When it's executed, the new variant, called MyDoom.C, or Doomjuice, begins scanning for machines listening on TCP port 3127. When it finds available PCs, it copies itself to the new machine's Windows directory under the file name 'intrenat.exe' and also creates a file named 'sync-src-1.00.tbz' in several locations. "

But unlike the two previous versions of MyDoom, this third variant does not spread via e-mail, nor does it install a backdoor on infected machines or have a kill date, according to an analysis done by Ken Dunham, malicious code manager for iDefense Inc., based in Reston, Va. The worm's code is not encrypted, but it contains all of the source code for MyDoom.A.

The new worm's infection procedure may limit its spread, experts said. MyDoom.C spreads by scanning for machines that are already infected with one of the other variants of the worm. So the possibility of spreading widely in the enterprise is mitigated by the fact that most companies affected by one of the other worms likely already has cleaned up those PCs. Also, administrators can trump the new variant by blocking Port 3127 at the firewall.

"The risk presented by Mydoom.C needs to be tempered with the fact it is easily foiled by protection available from as early as two weeks ago. The fact the worm preys on existing Mydoom infected computers is much like a flock of vultures circling around an unfortunate soul about to succumb to the elements in that it is picking through scraps," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc. of Islandia, N.Y.…

MyDoom.C does have the ability to launch a denial-of-service attack against Microsoft's main Web site, which experienced some severe performance problems overnight Sunday and again Monday morning, according to data compiled by Netcraft Ltd. If the worm is started between Feb. 8 and Feb. 12, it starts a thread that sleeps for a random amount of time and then spawns 80 threads that begin requesting pages from Microsoft.com at once. MyDoom.C does not try to attack The SCO Group's Web site, however, as the two previous versions did.…

http://www.eweek.com/article2/0,4149,1522236,00.asp