Despite the arrest on Friday of the suspected author of the Sasser worm, which affected millions of computers worldwide last week, a new variant of the worm has appeared.
This shows that there is an "organised group of delinquents" engaged in creating and distributing these worms, Panda Software SL's PandaLabs unit said in a statement.
German police arrested an 18-year-old boy after a search of his parent's house in the northern town of Rotenburg. He confessed to creating the Sasser worm, officials said, and is also being investigated on suspicion of creating the Netsky worm. The appearance of a variant would appear to have holed the theory that he was working alone, however.
The Sasser.E worm exploits the same Windows LSASS vulnerability targeted by its predecessors, according to PandaLabs. The situation is likely to get worse when company staff return to work after the weekend, it said.
Sasser.E searches the Internet for vulnerable computers and then copies itself to the Windows directory, leading to a systems error which forces the infected computer to reboot every 60 seconds. Security company McAfee rated the worm low risk, but noted that it attempts to confuse people trying to remove it by adopting a file named (lsasss.exe) which is very similar to a genuine filename present on most systems.
The same patch which protected against earlier versions of Sasser are also effective against Sasser.E, security experts said.
The Sasser.E worm also tries to remove any instances of the Bagle worm from users' computers, suggesting more rivalry between the virus-writing gangs. "This seems to indicate that there is a kind of cyber-war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus," Panda Labs said.