Internet security companies have discovered a new version of the MyDoom e-mail worm circulating on the Internet.The new version, Mydoom.C, is a modified copy of the virus that ravaged the Internet in January. Unlike its predecessor, however, the new variant does not use e-mail or the Kazaa peer-to-peer network to spread and is not expected to make much of an impact on the Internet, says managed security services provider LURHQ.

Mydoom.C both refines and tames the earlier version of the virus, known as Mydoom.A. Among other changes, the new virus fixes problems with the original Mydoom e-mail worm, including errors in the worm's code that made it impossible for many Mydoom-infected machines to launch a programmed denial of service (DoS) attack against The SCO Group's Web site. Gone also is the expiration date that told machines infected with the original Mydoom virus to stop their DoS attack on February 12, 2004, LURHQ says.

Also, instead of depositing a file that opens a backdoor on infected machines, the new virus distributes a compressed archive of the worm's original source code, the company says.However, the Mydoom.C author also removed many of the most dangerous features of the original virus, including the highly efficient SMTP engine that enabled infected machines to spew out e-mail messages containing the virus. That component made the original Mydoom worm the fastest spreading e-mail worm in history, easily defeating Sobig-F, the previous record holder, according to antivirus software companies.

Instead, Mydoom.C seeks out and infects machines that are already infected with the original Mydoom virus by searching for machines that are listening on port 3127, a telltale sign of Mydoom infection, says security company IDefense in a security alert.That approach will give Mydoom.C a solid base of as many as 500,000 machines, but will keep Mydoom.C from spreading much beyond the community of already-infected machines, LURHQ and IDefense say.

Full Story: PC World