Update: MyDoom At Sixteen

MyDoom.p was first sighted just before noon EST Tuesday by the Internet Storm Center, Bethesda, Md.

Like its most recent predecessors MyDoom.m and MyDoom.o, variant No.16 exploits Internet search engines to propagate. An SMTP-based mass-mailing worm, MyDoom.p attempts to fool users into opening the e-mails by mimicking returned mail notifications with such subject headers as "delivery failure notification," "status," "delivery reports about your e-mail" and "returned mail: see transcript for details," according to security experts.

After analyzing variant No.16, the Storm Center issued a statement speculating that MyDoom.p may only work on Windows 2000 and Windows XP machines because the executable worm requires a dll file named psapi.dll.

When the worm does work, it "copies itself to the Windows system directory as winlibs.exe and installs itself under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run," according to the Storm Center.

Security administrators should take notice that MyDoom.p carries common attachment file names that include mail, message, attachment, transcript, text, document, file and readme. The attachments' extensions are just as common, a range that includes .exe, .zip and.txt.exe, according to security experts who've followed MyDoom's lineage.