Two weeks into MyDoom. Two new developments worth writing about.
The backdoor exploitation
MyDoom's port-3127 backdoor is now being used by multiple parties. Other worms — most notably Doomjuice — are scanning specifically for MyDoom-compromised hosts and using the backdoor to install themselves.
This is the chain-compromise pattern at scale. MyDoom's compromised population is now substrate for follow-on attacks.
The worm wars
Netsky appeared in February. It includes code to remove MyDoom and Bagle from infected hosts. Bagle responded with variants that target Netsky. The three worm families are now fighting for dominance of the compromised population.
This is a category change. The compromised-host pool is now a contested resource among different malware operators. The economic infrastructure of cybercrime is operating openly.
What operators should do
Standard mail filtering disciplines. Plus: identify and clean up MyDoom-compromised hosts even if MyDoom appears inactive — the backdoor remains exploitable.
More as the situation develops.