Worm sleeps to avoid detection
Summary
Topics
Atak was first discovered Monday. Although antivirus companies do notexpect it to cause much damage, they say it will be a nuisance becauseit can generate a large amount of spam.
Graham Cluley, senior technology consultant for antivirus companySophos, said authors of malicious software generally try to make the jobof antivirus researchers as difficult as possible by adding confusingcode and using evasion techniques.
"Atak tries to tell when someone is stepping through the code to analyzewhether it is a virus or not. Often, a virus will contain lots of codethat is designed to make it more complicated for (antivirus) companiesto write the detections," Cluley said.
Mikko Hypponen, director of antivirus research at Finnish companyF-Secure, said that although it is common practice for virus writers toprotect their malware, this worm is exceptional.
"It is standard for worms to have layers of encryption--or armoring--tokeep out snoopers, but this goes way beyond that. It tries actively todetect if it is being analyzed by antivirus research tools. If it thinksit is being analyzed, it stops running and shuts down," Hypponensaid.
Atak is not thought to be a serious threat. But because of recentdetection and in-built protection, the worm's full functionality has notyet been fully analyzed. However, it is known that the worm containstext that seems to threaten other well-known worms and viruses, such asMyDoom,
Hypponen said there is a possibility that Atak will try to seek out and destroy "rival" worms.
"We haven't been able to figure out if Atak tries to disable some ofthese viruses," he said. "The message implies it does contain some codethat attacks other viruses."
Munir Kotadia of
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
