Serial worm outbreaks continue to dog the Internet with more new variants of Bagle and Netsky released onto the Net yesterday, prompting experts to believe there may be a turf war going on between virus writers, with the Net as the battlefield.
Anti-virus companies have identified another two new versions of the Bagle worm, dubbed Bagle.H and Bagle.I, and a new version of the Netsky worm, Netsky.E, just hours after five new versions of Bagle and Netsky.D, a virulent new take on that worm, were released.
The new worm versions were rated "low" threats by Symantec, indicating that they were spreading slowly. However, Network Associates' McAfee anti-virus unit increased its rating of Bagle.H from "low" to "medium" threat, based on an increased number of submissions from customers and other Internet users.
Both new versions of the Bagle worm spread in zip files that require passwords to open, similar to the Bagle.F and Bagle.G variants that appeared over the weekend. The virus authors provide the password to unlock the zip in the e-mail message containing the virus.
Hiding their creation in a password-protected file allows authors to slip the virus by gateway antivirus filters, which cannot decode the file to read the signature of the virus inside. Some antivirus products can spot the virus by comparing information about the zip file attachment to known samples of the worm though.
Most new versions are modifications of previous versions, with slight changes to the subject lines, message text and attachments used to lure unsuspecting recipients.
Anti-virus experts don't know who is to blame for the flood of new worm variants that have appeared since mid-January, when Bagle and Mydoom first surfaced. Competing groups of virus writers may be behind the releases, using worms to battle for Internet turf that is measured in compromised hosts, said Brian Mann, outbreak manager at McAfee's Anti-virus Emergency Response Team unit.
Earlier versions of the Netsky worm removed copies of the Mydoom virus, which may be evidence of a kind of one-upmanship between virus authors, he said. While the Bagle worm continued to throw off new variants, Netsky.D continued to assault e-mail in-boxes with virus-generated e-mail messages.
Symantec updated Netsky.D to a "severe" threat on Monday, citing an "increased rate of submissions". NAI researchers saw a decrease in the volume of Netsky.D mail on Tuesday, but still rate it a "medium" threat and expect it to "be around for a while", Mann said.
Researchers are also looking at the security risks posed by the viruses, many of which open communications ports on infected systems that can be used to upload malicious software or remotely control the infected systems.