By Munir Kotadia, 10 March 2004 08:55
NEWS The latest variant of the Netsky worm, which is the eleventh in less than a month, will be the last, according to a coded message from the worm's author.
Netsky.K was discovered on Monday and security researchers found an unexpected message from the author within its code; although the authors of Netsky, Bagle and MyDoom have been engaged in a flame war for the past couple of weeks, this latest variant differs because it not only contains the usual insults to other virus writers, but also a message saying this would be the last Netsky variant.
Although the Netsky worm has caused misery for users, it is not malicious in the same way as Bagle and MyDoom, which have been designed for the sole purpose of transforming unprotected PCs into an army of spam senders. Recent versions of Netsky have actually attacked and removed the Bagle worm and the author of Netsky refers to his team as "antivirus" writers.
Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, said that the authors of Netsky are under the impression they are good guys because they attack other worms: "The guy behind Netsky thinks he is doing a good thing - most likely a teenager and probably just one guy who is not part of a group of criminals."
In Netsky.K's code the author writes: "We want to destroy malware writers business [sic], including MyDoom & BagleÂ… To F-Secure and so on, we do not want damage systemsÂ… We have respect of your work (Your heuristic scan is not good enough! Make it better). This is the last version of our antivirus. The source code is available soon."
Hyppönen said he expects the Netsky author to stick to his word and stop releasing new variants: "We have no reason to doubt it, so I would be surprised if it isn't true."
A new version of the Bagle worm, Bagle.L, was discovered on Tuesday. According to antivirus firm Panda Software this worm contains a back door, which opens the TCP port 2745. Infected computers attempt to connect to an internet address that hosts a PHP script. According to Panda, this is how the worm notifies its author that another computer has been infected.
Hypponen said the behaviour of the latest Bagle worm is suspiciously similar to that of the original MyDoom worm, which so successfully launched a DDoS attack on the SCO.com website. He suspects that Bagle and MyDoom are written if not by the same person, then by the same team of coders: "This family of Trojans have been used by spammers for several months. When MyDoom was distributed at the end of January, it left a back door. Through that back door they installed a specific Trojan and after a few days we started seeing spam being sent through those computers. The Bagle we found today drops the same Trojan. We are starting to think that it is the same group of people behind both Bagle and MyDoom," he said.
Munir Kotadia writes for ZDNet UK
Comments
There are 2 comments. Join the discussion
1. Roelf Hart
Dear Sir / Madam, Having been subjected to 3 attacks by the Netsky trojan in as many days, I would like to propose that the originator of this piece of nerdish & faecal material be forcibly deported to Singapore and subjected to their idea of cleansing the mind/soul by judicious/regular application of the rattan cane. Combined with solitary (social) confinement for a number of weeks, together with the aforementioned corporal cleansing, this idiot (group of idiots) may find some more useful purpose in life. It's only fortunate that I have no addresses listed in my Windows address book, so I need not apologise to anyone for spreading this insidious worm. I'll gladly (and gloatingly) manipulate the said rattan cane, if only...
Kindest regards,
Roelf Hart
2. Dave Wire
These coders should be strung up by their algorythms and put in prison or given a job at Symantic.