Turns out these new Mydoom.AG and Mydoom.AH variants might not be Mydooms at all. Our comparison tools show only around 49% correlation between these and the last Mydooms. So that would explain why the technique is so different.
These viruses are also one of the fastest ever to take advantage of a new security vulnerability. The exploit was only posted publicly on Friday, and the viruses were out by Tuesday.
So the virus spreads in four steps:
1 Infected machine ("predator") sends out tons of emails with a link 2 Recipient on target machine ("prey") follows the link back to a website on the Infected machine 3 Exploit on the web page downloads and runs the virus, turning the prey to another predator 4 Repeat
To make this clearer, have a look at our high-tech illustration: