New MyDoom Variants

New MyDoom/Bofra variants are on the loose and at least one of them (MyDoom.ah), at first glance, looks like a phishing attempt. I received an email this morning (seen below) that poses as a message from PayPal. But the embedded link in the email doesn't point to PayPal. Instead it points to an infected user's system. When the link is visited a Web page is loaded that contains and IFRAME buffer overflow exploit which serves to download and run the virus.

--------------------------
Congratulations! PayPal has successfully charged $175 to your creditcard. Your order tracking number is A866DEC0, and your item will be shippedwithin three business days.

To see details please click this link [a href="http://192.168.0.12:1639/index.htm"] link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent byan automated message system and the reply will not be received.

Thank you for using PayPal.
--------------------------

The virus opens a Web server on port 1639, connects to various IRC servers, gathers email addresses from the infected user's system and then proceeds to email messages to people hoping they'll click the link and infect themselves. But as you can see from the message I received, the virus doesn't work if the infected user is behind a NAT network since the user's NAT address will appear in the clickable URL which obviously isn't a routable address on the Internet and is therefore unreachable by people outside the NAT network.