When the worm turns - antivirus report

Things are turning nasty on the information superhighway, with US anti-virus experts uncovering text messages in recent worm variants that have suggested that a battle is underway between virus writers.

In the past week, antivirus experts have seen a flood of new variants of the Bagle, NetSky and MyDoom worms.

“In a single day we’re seeing several new variants appearing,” technical support manager at Sophos Antivirus Australia, said.

Despite only modest changes between worm versions, the new Bagle and Netsky variants appeared to be the work of the original virus authors, Richmond said.

"Someone who has access to the source code is creating these,” he said. “The changes in the variants are not insignificant, and I haven’t seen evidence that the source code is very widely distributed.”

A majority of these newly-appearing variants seem to be used primarily as a vehicle for delivering new barbs and insults between virus writers.

This worm-fuelled quarrel began back in January, senior director of engineering for security response at Symantec, Al Huger, said. This was when NetSky began removing the MyDoom and Bagle virus from the machines it infected.

Bagle J, Bagle K, Netsky F and MyDoom G all contain comments that are part of a spirited dialogue between virus authors, according to US- based Sophos antivirus researchers

Text comments in the worm code are preserved in the binary format file that was created when the code was “complied”, or turned into a computer program that could be run, Huger said.

Spiced with foul language and bad spelling, the messages portray a playground-style brawl between the authors, with the internet worms acting as messengers.

“Such behaviour isn’t new,” Huger said. “The hacking community has been doing it for years.”

The viruses have been spreading rapidly on the Internet, generating a huge volume of virus-infected email messages. The new virus versions use a variety of so-called “social engineering” techniques to fool users.

Several of the new variants were hiding in password-protected ZIP files to slip past antivirus filters and into users’ email boxes, Richmond said.

Netsky.D, a new version of the Netsky worm, is believed to be the biggest threat in this group.

As of the beginning of March, Netsky.D had been spreading rapidly on the Internet and flooding email servers with infected messages, Richmond said.

Some of Sophos' customers were receiving thousands of Netsky.D infected messages each hour.

“We’ve been getting a lot of calls from customers who have been getting huge numbers of emails,” he said. “Luckily there have not been many infections, as when these files are opened any up-to-date desktop antivirus software will block it.”