Virus Writers Start Dissing Match with New Worms

 
 
By David Morgenstern  |  Posted 2004-03-02 Print this article Print
 
 
 
 
 
 
 

Variants of the Bagle and MyDoom worms arrived on late Tuesday, serving as digital graffiti as malware authors delivered secret messages to creators of "competing" worms.

The virus onslaught continued late Tuesday as new versions of Bagle and MyDoom hit the Internet. The latest versions appeared to serve as digital graffiti, with the code delivering secret messages to the anonymous authors of other "competing" worms. According to analysis by security firm F-Secure Corp., the Bagle.J and MyDoom.G worms contain hidden messages aimed at the author of the NetSky worm. For example, Bagle.J includes the text: "Hey, NetSky, f**k off you b***h, dont ruine our bussiness, wanna start a war ?"
MyDoom.G also attacked NetSkys author: "To netskys creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your sh**y app."
Versions of NetSky spread rapidly across the Internet in February. F-Secure analysts said the MyDoom variant was functionally similar to the original MyDoom.A worm. The latest Bagle worm continued its social-engineering vector with a variable message aimed at corporate users, offering advice on e-mail account utilization. It comes as a pass-word-protected ZIP file with a Wordpad icon. One posting on the F-Secure Labs Weblog suggested that Bagle is getting "more and more clever about the messages it sends. The latest variant can send widely variable mails, referencing the recipients company or domain name directly." Earlier in the day, the Bagle.H worm struck. The newest version of the constantly morphing virus also arrived in a password-protected ZIP archive. Once executed, Bagle.H copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files. Bagle.H, which is rated as a medium risk by the AVERT team at Network Associates Inc., also listens on TCP Port 2745 for instructions from remote hosts. The virus has an expiration date of March 25 and is spreading fairly quickly, experts said. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
 
 
 
 
David Morgenstern is Executive Editor/Special Projects of eWEEK. Previously, he served as the news editor of Ziff Davis Internet and editor for Ziff Davis' Storage Supersite.

In 'the days,' he was an award-winning editor with the heralded MacWEEK newsweekly as well as eMediaweekly, a trade publication for managers of professional digital content creation.

David has also worked on the vendor side of the industry, including companies offering professional displays and color-calibration technology, and Internet video.

He can be reached here.

 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel