'Worm war' behind recent virus releases, experts say

IDG News Service - Antivirus experts have identified new versions of three major e-mail worms and say that a "war" between rival virus writers may be to blame for the rash of outbreaks in recent weeks.
New versions of the Mydoom, Netsky and Bagle worms have all appeared on the Internet in the past 24 hours. Antivirus researchers have uncovered text messages in two of the worms that suggest a battle is under way among virus writers, antivirus companies said today.
Examples of Netsky.F, Bagle.K and Mydoom.H were isolated today, according to antivirus company F-Secure Inc. in Helsinki, Finland.
All three variants resemble their predecessors, which spread in e-mail messages with vague-sounding subjects using infected attachments such as .zip, .exe or .pif files. The viruses have their own Simple Mail Transfer Protocol engines and harvest e-mail addresses from infected computers, which are then targeted with infected mail, antivirus companies said.
The Bagle and Mydoom worms also open communication ports on infected systems that can be used by remote attackers to route unsolicited commercial e-mail, send malicious instructions to the computer or install remote monitoring software, said Al Huger, senior director of engineering for security response at Symantec Corp.
Bagle.J, Bagle.K, Netsky.F and Mydoom.G also contain comments that are part of a spirited dialogue between virus authors, according to antivirus company Sophos PLC.
Text comments in the worm code are preserved in the binary format file that's created when the code is compiled, or turned into a computer program that can be run, Huger said.
Spiced with foul language and bad spelling, the messages portray a playground-style brawl among the authors, with the Internet worms acting as messengers.
"Hey, Netsky...don't ruine our bussiness, wanna start a war?" reads a message in the Bagle.J worm's code, according to Sophos.
A message found in Netsky.F reads: "Skynet AntiVirus -- Bagle - you are a looser !!!!," and the recent Mydoom.G virus also includes hidden comments critical of the Netsky worm, F-Secure said.
The exchanges among virus authors started in January, when Netsky began removing the Mydoom and Bagle viruses from machines it infected, Huger said. The spat escalated in recent weeks, with multiple versions of the Bagle and Netsky worms appearing on an almost daily basis, primarily as vehicles for delivering new barbs and insults from the authors, he said.
Sparring matches among virus writers and hackers are nothing new, but the seriousness of the recent outbreaks has put this shouting match in the public eye, Huger said. "This behavior isn't new. The hacking community has beendoing this for years," he said.
The exchanges have been amusing to weary antivirus researchers, who are hopeful that they might lead to the capture of one or more of the worm authors.
"The more they talk, the more they open up chances to get caught," Huger said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.