Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
Mary Landesman
Mary's Antivirus Software Blog

By Mary Landesman, About.com Guide to Antivirus Software

War of the worms

Tuesday March 2, 2004
A battle is waging between three groups of virus writers, each attempting to prove superiority over the other. While these virus writers create worms that hurl accusations at one another, the real victims of this battle remain the users caught in the crossfire. The latest entries - the Bagle.I, Bagle.J, Bagle.K and MyDoom.G worms.

Bagle.I, Bagle.J, and Bagle.K mimic Bagle.F, Bagle.G, and Bagle.H, sending password protected ZIP attachments at least part of the time. The password is included in the message body of the worm email. The main worm component dropped to the Windows System folder by the worm is different for each variant. For example:

Bagle.I drops I11R54N4.EXE
Bagle.J drops IRUN4.EXE, and
Bagle.K drops WINSYS.EXE

For a more complete description of the Bagle worm, see descriptions for Bagle.A, Bagle.B, Bagle.C, and Bagle.J worms.

As with previous Bagle variants, Bagle.I, Bagle.J, and Bagle.K attempt to shutdown various security processes running on infected systems. This is in direct contrast to Netsky, which attempts to remove registry edits that allow certain MyDoom and Mimail variants to load when Windows is started. For more information on Netsky, see descriptions for Netsky.B, Netsky.C, and Netsky.D.

Included in the text strings of the various worms are a series of insults and badgering.

Bagle.J includes: "Hey,NetSky, f*ck off you b*tch, don't ruine our bussiness, wanna start a war?"

This is apparently in response to a string contained in Netsky.C that reads, "<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >"

Netsky.D also contains a targeted string, "be aware! Skynet.cz - -->AntiHacker Crew<--"

MyDoom.G brings up the third flank, carting the 'message': "to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your sh*tty app."

"We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction", says Snorre Fagerland, senior virus analyst at Norman Data Defense Systems. "It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible."

From February 25th through March 2nd, Netsky.C, Netsky.D, Bagle.C, Bagle.D, Bagle.E, Bagle.F, Bagle.G, Bagle.H, Bagle.I, Bagle.J, Bagle.K and MyDoom.G have been discovered. Of these, nearly half have been rated medium threats or higher.

Comments

No comments yet. Leave a Comment

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

Explore Antivirus Software
About.com Special Features

The Best Web Trends of the Decade

A look back at the best innovations, ideas and technologies over the last 10 years, More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.