The latest mass-mailing worm, Atak, hides by going to sleep when it
suspects that antivirus software is trying to detect it.
Atak was first discovered Monday. Although antivirus companies do not
expect it to cause much damage, they say it will be a nuisance because
it can generate a large amount of spam.
Graham Cluley, senior technology consultant for antivirus company
Sophos, said authors of malicious software generally try to make the job
of antivirus researchers as difficult as possible by adding confusing
code and using evasion techniques.
"Atak tries to tell when someone is stepping through the code to analyze
whether it is a virus or not. Often, a virus will contain lots of code
that is designed to make it more complicated for (antivirus) companies
to write the detections," Cluley said.
Mikko Hypponen, director of antivirus research at Finnish company
F-Secure, said that although it is common practice for virus writers to
protect their malware, this worm is exceptional.
"It is standard for worms to have layers of encryption--or armoring--to
keep out snoopers, but this goes way beyond that. It tries actively to
detect if it is being analyzed by antivirus research tools. If it thinks
it is being analyzed, it stops running and shuts down," Hypponen
Atak is not thought to be a serious threat. But because of recent
detection and in-built protection, the worm's full functionality has not
yet been fully analyzed. However, it is known that the worm contains
text that seems to threaten other well-known worms and viruses, such as
MyDoom, Bagle and Netsky.
Hypponen said there is a possibility that Atak will try to seek out and destroy "rival" worms.
"We haven't been able to figure out if Atak tries to disable some of
these viruses," he said. "The message implies it does contain some code
that attacks other viruses."
Munir Kotadia of ZDNet
UK reported from London.