[Leroy S. Mort]

For example, the supposed DDOS attack on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to update themselves with this, where "this" is whatever the guy wants to add.

It's my understanding that W32.Mydoom.B (the one that includes DoS's against both SCO AND Microsoft)is a whole new variation of W32.NovargA (the original MyDoom SCO worm)and is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.

[Nick Danger]

is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.

From the discussion of Novarg.B on Symantec Security Response (see #11):

The worm also contains functionality which allows it to install itself on systems which may have been infected by W32.Novarg.A@mm. This is accomplished as follows:

• The worm creates two to six threads working in parallel.
• Each thread scans a randomly picked class-C sized networks, from a.b.c.1 to a.b.c.254, except that it skips networks where a=16, 224, 127 or 128.
• Between each scanned network, a thread waits 128 ms.
• Each IP in the scanned class-C is contacted on port 3127, if the connection succeeds, the worm sends an update command along with a copy of itself to be executed on the remote machine.

So basically this guy can send out a new worm at any time to modify the behavior of the old worms. I think it's against the law in the United States to invade someone else's computer, but perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes itself.