The latest mass-mailing worm is more annoying than dangerous, but Atak is interesting because it hides from antivirus researchers by going to sleep when it is being analysed
Atak was first discovered on Monday and although antivirus companies do not expect it to cause much damage, they say it will be a nuisance because it can generate a large amount of spam.
Graham Cluley, senior technology consultant for antivirus firm Sophos, said malware authors try to make the job of the antivirus researchers as difficult as possible by adding confusing code and using evasion techniques.
"Atak tries to tell when someone is stepping through the code to analyse whether it is a virus or not. Often, a virus will contain lots of code that is designed to make it more complicated for AV companies to write the detections," said Cluley.
Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, explained that although it is standard practice for virus writers to protect their malware, this worm is exceptional.
"It is standard for worms to have layers of encryption -- or armouring -- to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analysed by antivirus research tools. If it thinks it is being analysed, it stops running and shuts down," said Hyppönen.
Atak is not thought to be a serious threat, but because of recent detection and in-built protection, the worm's full functionality has not yet been fully analysed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky.
Hyppönen said there is a possibility that Atak will try to seek out and destroy 'rival' worms.
"We haven't been able to figure out if Atak tries to disable some of these viruses. The message implies it does contain some code that attacks other viruses," said Hyppönen.