Virus Writers Start Dissing Match with New Worms

Variants of the Bagle and MyDoom worms arrived on late Tuesday, serving as digital graffiti as malware authors delivered secret messages to creators of "competing" worms.

The virus onslaught continued late Tuesday as new versions of Bagle and MyDoom hit the Internet. The latest versions appeared to serve as digital graffiti, with the code delivering secret messages to the anonymous authors of other "competing" worms.

According to analysis by security firm F-Secure Corp., the Bagle.J and MyDoom.G worms contain hidden messages aimed at the author of the NetSky worm.

For example, Bagle.J includes the text: "Hey, NetSky, f**k off you b***h, dont ruine our bussiness, wanna start a war ?"

MyDoom.G also attacked NetSkys author: "To netskys creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your sh**y app."

Versions of NetSky spread rapidly across the Internet in February.

F-Secure analysts said the MyDoom variant was functionally similar to the original MyDoom.A worm.

The latest Bagle worm continued its social-engineering vector with a variable message aimed at corporate users, offering advice on e-mail account utilization. It comes as a pass-word-protected ZIP file with a Wordpad icon.

One posting on the F-Secure Labs Weblog suggested that Bagle is getting "more and more clever about the messages it sends. The latest variant can send widely variable mails, referencing the recipients company or domain name directly."

Earlier in the day, the Bagle.H worm struck. The newest version of the constantly morphing virus also arrived in a password-protected ZIP archive.

Once executed, Bagle.H copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files.

Bagle.H, which is rated as a medium risk by the AVERT team at Network Associates Inc., also listens on TCP Port 2745 for instructions from remote hosts.

The virus has an expiration date of March 25 and is spreading fairly quickly, experts said.

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.