MyDoom AG/AH might be a brand new virus family
An interesting analysis on MyDoom AG/AH from F-Secure's weblog: http://www.f-secure.com/weblog/
Turns out these new Mydoom.AG and Mydoom.AH variants might not be Mydooms at all.
Our comparison tools show only around 49% correlation between these and the last Mydooms. So that would explain why the technique is so different.
These viruses are also one of the fastest ever to take advantage of a new security vulnerability. The exploit was only posted publicly on Friday, and the viruses were out by Tuesday.
So the virus spreads in four steps:
1 Infected machine ("predator") sends out tons of emails with a link
2 Recipient on target machine ("prey") follows the link back to a website on the Infected machine
3 Exploit on the web page downloads and runs the virus, turning the prey to another predator
4 Repeat STEPS 1-4 ILLUSTRATED http://www.f-secure.com/weblog/archives/agillustration.jpg