'Worm war' behind recent virus releases

Antivirus experts have identified new versions of three major e-mail worms and say that a "war" between rival virus writers may be to blame for the rash of outbreaks in recent weeks.

New versions of the MyDoom, Netsky and Bagle have all appeared on the Internet in the last 24 hours. Antivirus researchers have uncovered text messages in two of the worms that suggests a battle is underway between virus writers, antivirus companies said on Wednesday.

Examples of Netsky.F, Bagle.K and Mydoom.H were isolated on Wednesday, according to antivirus company F-Secure Corp. of Helsinki.

All three variants resemble their predecessors, which spread in e-mail messages with vague-sounding subjects using infected attachments such as ZIP, EXE or PIF files. The viruses have their own SMTP (Simple Mail Transfer Protocol) engines and harvest e-mail addresses from infected computers, which are then targeted with infected mail, antivirus companies said.

The Bagle and Mydoom worms also open communication ports on infected systems which can be used by remote attackers to route unsolicited commercial ("spam") email, send malicious instructions to the computer or install remote monitoring software, said Al Huger, senior director of engineering for security response at Symantec Corp.

Bagle.J, Bagle.K, Netsky.F and Mydoom.G also contain comments that are part of a spirited dialogue between virus authors, according to antivirus company Sophos PLC.

Text comments in the worm code are preserved in the binary format file that is created when the code is "compiled," or turned into a computer program that can be run, Huger said.

Spiced with foul language and bad spelling, the messages portray a playground-style brawl between the authors, with the Internet worms acting as messengers.

"Hey, Netsky...don't ruine (sp) our bussiness (sp), wanna start a war?" reads a message in the Bagle.J worm's code, according to Sophos.

A message found in Netsky.F reads: "Skynet AntiVirus -- Bagle - you are a looser (sp)!!!!," and the recent Mydoom.G virus also includes hidden comments critical of the Netsky worm, F-Secure said.

The back and forth between virus authors started in January when Netsky began removing the Mydoom and Bagle viruses from machines it infected, Huger said.

The spat escalated in recent weeks, with multiple versions of the Bagle and Netsky worms appearing on an almost daily basis, primarily as vehicles for delivering new barbs and insults from the authors, Huger said.

Sparring matches between virus writers and hackers are nothing new, however the seriousness of the recent outbreaks has put this shouting match in the public eye, he said.

"This behavior isn't new. The hacking community has been doing this for years," he said.

The exchanges have been amusing to weary antivirus researchers, who are also hopeful that they might lead to the capture of one or more of the worm authors.

"The more they talk, the more the open up chances to get caught," Huger said.