A worm that started spreading on Sunday places the source code for the original MyDoom virus on a victims' hard drives, an action equivalent to planting evidence, antivirus experts said Tuesday.

The worm, Doomjuice, spreads to computers that have already been infected by either the original MyDoom virus or the MyDoom.B variant, and among other actions, places several copies of the source code for MyDoom.A on the victim's computer.

The author may be using the tactic to create a crowd of PC users in which to hide, or the author could be spreading the code in hopes that other virus writers will create variations on MyDoom, said Graham Cluley, senior technology consultant for antivirus firm Sophos.

Read Article (http://zdnet.com.com/2100-1104_2-5156836.html?tag=zdfd.newsfeed)

with a $250.000 reward out for him or her they may just be trying to hide. I think I would. ;)

Could this be a reason for the sudden extra amount of portscans on TCP port 3127, which is one of the backdoors opened by MyDoom?
Do infected victims portscan to spread further? The scans come from everywhere! Was a Ddos part of the payload? Thought only on the microsoft and sco.com sites?


http://isc.sans.org/port_details.html?port=3127
port 3127-3198 are used by MyDoom, and 10080 also by MyDoom-B
http://www.viruslist.com/eng/viruslist.html?id=942691
Here's the juice variant B already.
So the portscan 3127 story i mentioned here above fits unfortunately.