The Slapper worm, which draws infected machines into a network that can be used to attack other computers, has mutated into two new forms, and is proving surprisingly difficult to kill off, according to antivirus companies.
Several virus vendors reported variants of the original Slapper.worm.A, called Slapper.worm.B, or "Cinik", and Slapper.worm.C, or "Unlock", appearing this week. The variants have slight differences to the original worm, but all use basically the same method of propagation.
Earlier reports had indicated that authorities were on the trail of a suspect in Ukraine, but security firms and authorities now say that this is not the case. Two industry journals quoted consultants from Internet Security Systems saying that a Ukrainian suspect had been arrested, but this appears to have been a false lead.
"We were involved with the FBI in checking this out, and there is no evidence of an arrest," said an ISS spokeswoman.
The worm exploits a flaw in the open-source security component used with many Linux-based Apache Web servers. Known as the secure sockets layer (SSL), the component is commonly used by e-commerce sites to secure transactions between the customer's computer and the company's server.
Slapper attacks Apache SSL servers running on Red Hat, SuSE, Mandrake, Slackware and Debian Linux. Antivirus firm F-Secure, based in Helsinki, estimates that there are more than one million Apache servers running SSL, many of which have not been patched.
The worm's threat appeared to level off and decline last week, after it had infected only around 15,000 machines -- far short of more disastrous worms such as Code Red, which hit 400,000 computers. But it is still creating a nuisance in more than 100 countries, according to F-Secure, with more than 120 businesses in Australia alone infected by Slapper.worm.B.
Both variants contain only minor adjustments to the original formula -- they use different ports and call themselves by different file names. Slapper.worm.B also uses a backup routine in which it loads a copy of itself from a Web site, after an attempt is made to remove the worm. However, this routine appears to have been disabled, according to F-Secure.
This makes the worm's continued spread all the more mysterious. F-Secure said that this was probably due to system administrators simply having too many worms and patches demanding their attention, noting that even after machines had been rid of Slapper they often seemed to later reappear in the virus' peer-to-peer network. "The hosts seem to get re-infected after a while," the company said in a statement.
Antivirus vendors are divided over Slapper's potential threat. F-Secure and Symantec, among others, have given it high-risk status, while Network Associates said the worm and its variants pose relatively little threat.