Anti-virus experts have revealed that a war between rival virus writers is behind the sudden glut of new worms released on the Net this week.
New versions of the MyDoom, Netsky and Bagle worms have all appeared on the Internet in the last 24 hours but researchers have uncovered text messages in two of them that suggests a battle is underway between virus writers.
Spiced with foul language and bad spelling, the messages portray a playground-style brawl between the authors, with the Internet worms acting as messengers. "Hey, Netsky...don't ruine [sic] our bussiness [sic], wanna start a war?" reads a message in the Bagle.J worm's code, according to security company Sophos.
A message found in Netsky.F reads: "Skynet AntiVirus -- Bagle - you are a looser [sic]!!!!," and the recent Mydoom.G virus also includes hidden comments critical of the Netsky worm, another anti-virus company F-Secure said. The back and forth between virus authors started in January when Netsky began removing the Mydoom and Bagle viruses from machines it infected, Al Huger, senior director of engineering for security response at Symantec, said.
The spat escalated in recent weeks, with multiple versions of the Bagle and Netsky worms appearing on an almost daily basis, primarily as vehicles for delivering new barbs and insults from the authors, Huger said.
Sparring matches between virus writers and hackers are nothing new, however the seriousness of the recent outbreaks has put this shouting match in the public eye. "This behavior isn't new. The hacking community has been doing this for years," he said.
The exchanges have been amusing to weary anti-virus researchers, who are also hopeful that they might lead to the capture of one or more of the worm authors. "The more they talk, the more they open up chances to get caught," Huger said.
Examples of Netsky.F, Bagle.K and Mydoom.H were isolated yesterday. All three variants resemble their predecessors, which spread in e-mail messages with vague-sounding subjects using infected attachments. The viruses have their own SMTP engines and harvest e-mail addresses from infected computers, which are then targeted with infected mail.
The Bagle and Mydoom worms also open communication ports on infected systems which can be used by remote attackers to route spam, send malicious instructions to the computer, or install remote monitoring software.