You can't trust this worm to be the same on any two machines. Its fundamental structure is that of a trojan that listens on a TCP port for arbitrary code segments that it is to execute.
For example, the supposed DDOS attack on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to update themselves with this, where "this" is whatever the guy wants to add.
Yesterday he added a DDOS attack on Microsoft. But that's not supposed to occur until February 1. By then he could have changed the target two or three times, or deleted the DDOS attack altogether and replaced it with a spam relay, or a thing that formats C:, or whatever he wants. Right now this virus writer is just jerking these security guys around. "It's a DDOS attack! It'a a keystroke logger! It's a breath mint!"
You were right the first time: fundamentally, no one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.
Based on comments I've seen elsewhere, the reason they think it has to do with spammers is two-fold. First, it seems to be a professional package; the techniques used, the way things are laid out, etc., point to a professional as opposed to a scipt kiddie or the "12-year-old genius" who writes most of these things. Secondly, this is the New Thing among spammers. The last big worm turned out to be a collector of zombies for use by spammers; here comes another one with similar capabilities and a built-in SMTP engine, and it appears to be a paid-for, professionally written item. That suggests commercial, profit-making enterprise at work, as opposed to some crank who just wants to be a vandal. They could be wrong about this of course, but they do work this problem every day and see a lot of this stuff in the course of their work. It's "conjecture" but it's educated conjecture.
It's my understanding that W32.Mydoom.B (the one that includes DoS's against both SCO AND Microsoft)is a whole new variation of W32.NovargA (the original MyDoom SCO worm)and is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.
I see your finally starting to understand the dangers of computer criminals? That's actually the first post ever I've seen you make where may be actually starting to realize that policing of the internet is a forgone conclusion.
There are some really bad people out there on the net, and they used to just pirate other's property, giving it away for free all over the world, but now they're launching bombs out there. These "loosely knit groups of hackers from around the web" (kernel.org) have to be watched closely. I'm amazed and hopeful you're starting to see the light. More likely, just a temporary flash.