Rapid MyDoom, Bagle and Netsky variants do battle to control your computer

By Matt Whipp

Posted on 3 Mar 2004 at 11:55

New variants of MyDoom, Bagle and Netsky arrive in quick succession as the battle to control infected computers heats up.

Sophos has issued alerts this morning for MyDoom-G and H, Bagle-J and K and Netsky F.

The worms are fighting for the control of infected computers which the virus writers can use for their nefarious activities. Bagle-J contains the text 'Hey,NetSky, [expletives removed], don't ruine our bussiness, wanna start a war?'

'You wish that they would have this slagging match on a message board or in a dark alley, rather than on the Internet,' said Graham Cluley, senior technology consultant for Sophos. 'It's like an argument where everyone wants the last word.' So the flood of viruses doesn't look likely to end any time soon.

The text in Bagle-J supports the theories of antivirus companies that virus writers are being given a financial incentive to write these worms - perhaps by spammers who can send their emails through the infected machines.

And indeed previous variants of Bagle and Netsky remove evidence of infection by their rivals.

The slew of new worms means a fine tuning of the methods of attack: using short and changeable messages so the victims are unsure of what to look out for and multiple extensions or compressed, password protected attachments hoping to bypass antivirus software and users who may already be suspicious of .exe and .vbs files.

MyDoom-G also stops itself from sending on its infected mails to antivirus companies in the hope that it will delay them from getting wind of these new variants. 'They are trying to avoid us, so that users have to send infected emails on to us manually,' said Cluley, 'But we've got honeypots around the world to pick these things up that the virus writers don't know about.'

MyDoom-G will also launch a denial of service attack against Symantec's site. Its Norton antivirus software is popular with home users, and if the attack is anything like as successful as MyDoom-A was against SCO, its customers may have difficulty updating their software to protect against infection.

Cluley said that businesses should block executable attachments at the email gateway. But it is home users he said that really need help. 'ISPs for home users could really help a great deal. Some of them already have buttons - Click here if you don't want spam. Well they should also have a button for - Click here if you don't want executable attachments. It would also help their bandwidth. I wish home users would start lobbying for this sort of thing,' he said.

For more information visit the Sophos website.