The latest variant of the NetSky worm, which is the 11th in less than a
month, will be the last, according to a coded message from the worm's
NetSky.K was discovered on Monday, and security researchers found an
unexpected message from the author within its code; although the authors of
NetSky, Bagle and MyDoom have been engaged in a flame war for the past
couple of weeks, this latest variant differs because it not only contains the
usual insults to other virus writers, but also a message saying this would be
the last NetSky variant.
Although the NetSky worm has caused misery for
users, it is not malicious in the same way as Bagle and MyDoom, which have been
designed for the sole purpose of transforming unprotected PCs into an army of
spam senders. Recent versions of NetSky have actually attacked and removed the
Bagle worm, and the author of NetSky refers to his team as "antivirus" writers.
Mikko Hypponen, director of antivirus research at Finnish
company F-Secure, said the authors of NetSky are under the impression that
they are good guys because they attack other worms: "The guy behind NetSky
thinks he is doing a good thing--most likely a teenager and probably just one
guy who is not part of a group of criminals."
In NetSky.K's code, the author writes: "We want to destroy malware writers'
business, including MyDoom and Bagle...to F-Secure and so on, we do not want
damage systems...We have respect of your work (Your heuristic scan is not good
enough! Make it better). This is the last version of our antivirus. The source
code is available soon."
Hypponen said he expects the NetSky author to stick to his word and stop
releasing new variants: "We have no reason to doubt it, so I would be surprised
if it isn't true."
A new version of the Bagle worm, Bagle.L, was discovered Tuesday. According
to antivirus firm Panda
Software, this worm contains a back door, which opens the TCP (Transmission
Control Protocol) port 2745. Infected computers attempt to connect to an
Internet address that hosts a PHP script. According to Panda, this is how the
worm notifies its author that another computer has been infected.
Hypponen said the behavior of the latest Bagle worm is suspiciously similar
to that of the original MyDoom worm, which so successfully launched a denial-of-service attack on the SCO
Group's Web site. He suspects that Bagle and MyDoom are written, if not by
the same person, then by the same team of coders.
"This family of Trojans has been used by spammers for several months," he
said. "When MyDoom was distributed at the end of January, it left a back door.
Through that back door they installed a specific Trojan, and after a few days,
we started seeing spam being sent through those computers. The Bagle we found
today drops the same Trojan. We are starting to think that it is the same group
of people behind both Bagle and MyDoom."
Munir Kotadia of ZDNet
UK reported from London.