War of the worms

By on

Following on from threats made last week by the authors of the worms Bagle and Netsky, the war of the worms has escalated to a new level.

In a strange twist, while companies like Microsoft are beefing up security and putting bounties on the heads of virus writers, it now seems that the authors of various worms are attacking each other.

It all started with a worm called Bagle.B that propagated around the internet in February this year. It was one of the new breed of “clever worms” that used social engineering to encourage unsuspecting users to click on an innocuous-seeming email attachment and infect their PC.

Then came Netsky, another worm, but one with a difference. Netsky actually attempts to remove other worms from the system, including Mimail, Mydoom and with the Netsky.F variant, it also tries to clean up the damage from Bagle.

Netsky.F also contained a message hidden in its code directed towards the author of Bagle: "Skynet AntiVirus - Bagle - you are a looser!"

This has resulted in new versions of Bagle being released -- Bagle.J and Bagle.K -- that contained, hidden in the code, a message intended for the author of the Netsky worm. The latest variant of Mydoom, Mydoom.G also contains a hidden message for the Netsky author.

"Clearly the author of the Bagle worms is unimpressed that Netsky is stealing some of the limelight and most of the headlines. This skirmish is a nuisance for computer users, of course, who are seeing the worms clogging up their email systems," said Graham Cluley, senior technology consultant for Sophos.

Security experts fear this could spark a war of the worms, with different variants attempting to outdo each other. This could result in bigger or more damaging payloads, and could further increase the strain worms and viruses place on email systems around the world.

Bagle.B uses a built-in SMTP engine to mass-mail itself to all the email addresses it can find on the victim's PC. It also spoofs the sender address, making it look like the email has been sent from someone different from the real sender. The payload is small: all it does is open a backdoor TCP port, but that allows the infected machine to be used by the virus author in the future for other attacks.

"This is the first time that confrontation between virus authors has been so clearly demonstrated. For this reason and due to virus authors' thirst for attention, we can expect new variants to appear that will try to steal the spotlight," said Luis Corrons, PandaLabs manager.

All users are advised to ensure they have anti-virus software installed, and have it updated to the latest virus definition files, as well as updating their system with the latest Microsoft critical updates.

Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?