Friday, September 17, 2004

Virus Author on War

You may notice that there are more than 60000 viruses around the world, but the most active virus right now is Netsky and MyDOOM which affected most Windows version. If you visit Symantec's securityresponse site, you will see that there are a lot of varians of this dangerous virus> Usually Symantec gives name like Netsky.A, Netsky.B,... but there has been an exception for MyDOOM. The latest varians of MyDOOM virus was named MyDoom.AA (using 2 digit to represent variants). These means this virus is having a lot of 'fans' which modify the original source code and release them as new variants.

A new variant of the MyDoom Internet worm contains some puzzling add-ins: a photo that bears a likeness of Sven Jaschan, whom police in Berlin last week charged with computer sabotage after he admitted to authoring the Sasser worm, and a high-level description of how it does what it does. The variant, which is being called MyDoom.AA by Computer Associates International Inc. and MyDoom.Y by F-Secure Corp. and McAfee Inc., among other names, packs in its payload a description from the author on how the virus was programmed, what it's supposed to do and how it retrieves e-mail addresses from, for example, Microsoft Corp.'s Outlook address book.

That's nothing new, though, since that's a typical characteristic of MyDoom variants. The one thing that's unique in the how-to file is the fact that it's a "high-level summary. MyDoom.AA contains a remote-controlled payload it installs along with the photo of Jaschan on infected systems. Anybody who knows the worm is there can remotely connect to the infected computer, thus allowing an intruder to effectively take control of the system as if he or she were logged in and sitting at the keyboard.

Jaschan in May told authorities he had created the Netsky virus in order to automatically remove two other viruses from infected systems: MyDoom and Bagle. After creating several Netsky variations, he went on to create Sasser.

So... war is not just happening between users and virus creator, but also among the virus creator itself ..

No comments:

Post a Comment