Computerworld reports that this new worm is much more serious than the "Ikee" worm. Hackers are using the worm to build a botnet that steals data, including online banking credentials.
According to Chester Wisniewski, a senior security advisory with Sophos, "Duh" changes the default SSH password of "alpine" to "ohshit." It then uses the command-and-control strategy used by traditional PC-based botnets to steal data from the compromised device, including SMS-based authentication codes that some banks use to protect customers who are making financial transactions from their iPhones.
Ars Technica notes that non-jailbroken iPhones remain unaffected by these worms, or any real worms, for that matter.