Another new version of MyDoom is worming its way through the Internet, and this variant—like the last one—uses Yahoo as part of its infection routine. MyDoom.P is similar to most of the other MyDoom variants in that it arrives via e-mail, with a spoofed sending address and a subject line designed to make it look like the message is related to one that the recipient sent. Among the subject lines in the e-mails are "SN: New secure mail," "Secure delivery," "Re: Extended mail," "Delivery Status (Secure)," "Re: Server Reply" and "SN: Server Status."
The body of the e-mail contains any of a number of sentences, some of which refer to the included Zip file. Many of the messages reference security or refer to the attached file as a "secure Zip file." Once opened, the executable file copies itself to the Windows system directory as "winlibs.exe." The executable contains a list of dozens of common first and surnames that it puts through Yahoo"s People Search in an attempt to find more e-mail addresses to mail itself to, according to a preliminary analysis of the worm done by the staff of the Internet Storm Center at The SANS Institute in Bethesda, Md.