Virus writer signals swansong for Netsky worm

The author of NetSky.K tells antivirus researchers "this is the last version" of the worm.

The latest variant of the NetSky worm, which is the 11th in less than a month, will be the last, according to a coded message from the worm's author.

NetSky.K was discovered on Monday, and security researchers found an unexpected message from the author within its code; although the authors of NetSky, Bagle and MyDoom have been engaged in a flame war for the past couple of weeks, this latest variant differs because it not only contains the usual insults to other virus writers, but also a message saying this would be the last NetSky variant.

Although the NetSky worm has caused misery for users, it is not malicious in the same way as Bagle and MyDoom, which have been designed for the sole purpose of transforming unprotected PCs into an army of spam senders. Recent versions of NetSky have actually attacked and removed the Bagle worm, and the author of NetSky refers to his team as "antivirus" writers.

Mikko Hypponen, director of antivirus research at Finnish company F-Secure, said the authors of NetSky are under the impression that they are good guys because they attack other worms: "The guy behind NetSky thinks he is doing a good thing--most likely a teenager and probably just one guy who is not part of a group of criminals."

In NetSky.K's code, the author writes: "We want to destroy malware writers' business, including MyDoom and Bagle...to F-Secure and so on, we do not want damage systems...We have respect of your work (Your heuristic scan is not good enough! Make it better). This is the last version of our antivirus. The source code is available soon."

Hypponen said he expects the NetSky author to stick to his word and stop releasing new variants: "We have no reason to doubt it, so I would be surprised if it isn't true."

A new version of the Bagle worm, Bagle.L, was discovered Tuesday. According to antivirus firm Panda Software, this worm contains a back door, which opens the TCP (Transmission Control Protocol) port 2745. Infected computers attempt to connect to an Internet address that hosts a PHP script. According to Panda, this is how the worm notifies its author that another computer has been infected.

Hypponen said the behavior of the latest Bagle worm is suspiciously similar to that of the original MyDoom worm, which so successfully launched a denial-of-service attack on the SCO Group's Web site. He suspects that Bagle and MyDoom are written, if not by the same person, then by the same team of coders.

"This family of Trojans has been used by spammers for several months," he said. "When MyDoom was distributed at the end of January, it left a back door. Through that back door they installed a specific Trojan, and after a few days, we started seeing spam being sent through those computers. The Bagle we found today drops the same Trojan. We are starting to think that it is the same group of people behind both Bagle and MyDoom."

Munir Kotadia of ZDNet UK reported from London.