Worm Variant Parade Marches On

It appears writing viruses is becoming as easy as ABC, particularly given the deluge of worm variants in the Bagle, Netsky and Phatbot families. But the collections of worms are causing some confusion among virus fighters as well as increased danger for users.

The latest example is the Bagle.Z variant, which, among various antivirus and other security companies, is also known as Bagle.AA or Bagle.Y. Companies such as McAfee and MessageLabs have indicated that while there was a sharp increase in the spread of this variant earlier in the week, it probably will have minimal impact overall.

The overarching effect of the variant race that has pitted Bagle authors against Netsky authors and has been buoyed by other variants of the MyDoom and Gaobot/Phatbot viruses, however, is an increasing number of targets and victims, according to iDefense director of malicious code Ken Dunham.

"They're actually just pounding the Internet with wave after wave of new variants," Dunham told TechNewsWorld. "It's proving to be a successful strategy, and it's working for Bagle, Netsky and Gaobot/Phatbot."

Gang Warfare

MessageLabs senior antivirus technologist Alex Shipp said that while the Bagle.Z variant seems to be trailing off in its spread, the worm marks an ongoing feud that is unprecedented.

"I don't think we have seen something like this where two rival gangs are trying to outdo each other," Shipp told TechNewsWorld. "There is also an economic factor, as they're gathering infected PCs and selling them to the highest bidder."

Shipp said infected PCs, also known as zombies or bots, are being put to use primarily by spammers who not only send unwanted e-mail through them, but also use the compromised machines to host Web sites and crunch large-scale parcels to learn mail-server passwords.

Worm by Any Other Name

The latest Bagle variant, which spreads via e-mail and changes its file size upon each infection, includes a poem in its attachment.

There seems to be agreement that the worm, which comes after a lull in Bagle variants that peaked in March, will not spread significantly on the Internet or among PC users. There is not agreement, however, on what to call the variant.

"It is a complete mess," said Dunham, referring to at least three different names for the newest Bagle variant. "But that's okay because we know what it is based on its actual attributes."

Still, Dunham said, there is a need for more standardized naming of viruses and worms as higher numbers of variants perpetuate confusion.

"Without naming standards, it's more confusing than it should be," he said.

Keeping Up to Speed

Dunham indicated that while the name game does cause confusion among antivirus experts and companies, customers are only focused on defending against current threats, regardless of their names. He noted that smaller companies are increasingly the targets of denial-of-service attacks via the worms.

He added that although antivirus and other security companies do cooperate when needed, there is a competitive aspect to getting updated signatures out first -- and doing so requires bestowing a name on a virus.

Shipp said MessageLabs previously gave viruses and worms a temporary name that would then be changed when there was agreement in the industry. However, he said, the speed at which new variants are emerging makes that model difficult.

Both Dunham and Shipp expressed fatigue as a result of fighting the seemingly constant flow of new variants and other worms. "We'll be glad when this whole Netsky-Bagle thing is over," Shipp said.