A teenager who confessed to creating the Sasser worm was behind the latest version of the bug, police and Microsoft have said.
This followed speculation yesterday from anti-virus firm Panda Software that the release of the last version proved a group of hackers was behind the worm since it appeared after Sven Jaschan, 18, was arrested in northwest Germany last Friday.
German police said they believed Jaschan released the lastest version earlier on Friday - with altruistic intentions of limiting the damage of previous worms. Microsoft told TechWorld that its technical analysis pointed to Sasser.E being released prior to Jaschan being taken into custody at his mother's house in the small town of Waffensen near Bremen. "We are confident that the suspect is the author of all five variants," a spokeswoman said today.
Frank Federau, a spokesman for the state criminal office in Hanover, told the Associated Press in Berlin the worm was "a slightly modified form" of the program that raced around the world over the past week, exploiting a flaw in Windows. "He did it with good intentions, but it had exactly the same damaging effects," said Sascha Hanke, a Microsoft data protection official in Germany. It warned users who hadn't patched their computers that they were vulnerable.
"The cause was erroneous programming of the virus," Hanke said. Like previous versions, Sasser.E caused Windows 2000 and XP machines to crash and reboot.
Jaschan faces a maximum five-year sentence if convicted of computer sabotage. He was arrested after people who knew him came forward. Microsoft said that if a conviction is secured, the informants stand to gain $250,000 rewards from the company's $5 million fund for hacker bounties. He was released pending charges after questioning last Friday, where he admitted creating Sasser, police said.
The teenager reportedly told officials his original intention was to create a virus, "Netsky A," that would combat the "Mydoom" and "Bagle" viruses, removing them from infected computers. That led him to modify Netsky, creating Sasser.
Some media commentators had talked of a "war" between authors. Experts told technology publications that one NetSky worm was written to wipe out Bagle on infected machines and that some versions of NetSky contained messages in their coding, sniping at the authors of Bagle and MyDoom. ''We kill malware writers. They have no chance,'' one said. The Bagle authors retaliated: ''Hey Netsky... Don't ruin our business. Wanna start a war?''
Jaschan labelled as speculation media reports that he created Sasser to drum up business for his mother's computer shop. "One can never rule out anything, but there are no facts to suggest it," he told AP.
Speculation about a group of writers being behind Sasser was also fuelled when a 21-year-old man was arrested in the southern German town of Waldshut. He reportedly admitted to creating the Trojan horse programs Agobot and Phatbot. But a police spokesman said that there was no connection with Jaschan.
Yesterday, Panda Software said the release of Sasser.E showed that there was an "organised group of delinquents" engaged in creating and distributing the worms. The company said that because Sasser.E tried to remove any instances of the Bagle worm from infected computers, it suggested rivalry between virus-writing gangs.
"This seems to indicate that there is a kind of cyber-war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus," a statement from Panda's labs said.
Other IT security companies had said that the timing of the last release, the number of variants of Sasser and NetSky, plus information gleaned from studying the worms, suggested a group or authors. Technology media reports said that Sasser.E was not spotted on the Internet until nearly four hours after Jaschan's arrest. Some said today that the slow circulation could have been down to more people having downloaded the relevant patch by then.
Comments hidden in previous versions of Sasser and NetSky referred to a "crew" of authors and hinted that they were from several countries.
One expert said that there were comments in Russian in one version. Jaschen's confession and the discovery of the Sasser source code on his computer did not rule out the involvement of others, Mikko Hypponen, of F-Secure said.