Virus war still creating havoc for corporate users

More than 70 companies felt the sting last week of a silent but damaging virus war that has been raging since the start of the year between the authors of Netsky and Bagle is continuing to wreak havoc on corporate users worldwide.

Downed networks are being used as online trophies for proof of infection within virus-writing communities with a new version of the mass-mailer Bagle (Bagle af, ag, ah) containing an SMTP engine to construct outgoing messages and collating addresses from local files.

Unlike other viruses, the Bagle artillery is aimed squarely at its main competitor Netsky.

The virus replaces Netsky-infected computers with copies of Bagle. It also adds files to the system to trick it into thinking it is already running Netsky, so a further copy isn't downloaded.

McAfee Australia marketing manager Alan Bell said there has been a war between virus writers since the beginning of the year, adding that the reason Bagle has become so prolific is because it has been designed as a generic virus that targets everyone.

"The writer of Bagle appears to be churning out variants in an attempt to break systems, but the war between virus writers has been going on since the beginning of this year," Bell said.

"Every time a Netsky virus was released a Bagle variant would appear straight away, but it has quietened down since the alleged creator of Netsky was arrested."

Police in Germany arrested a teenager in May, who is allegedly responsible for the creation of the Sasser worm, but he then confessed to creating Netsky, and the subsequent 30 variations, in his bedroom.

It is suspected the first shot was fired in January when the Netsky worm began removing Mydoom and Bagle worms from PCs.

Trend Micro technical services manager Mark Sinclair said that in the past week the company has seen 72 incidents of the Bagle virus in Australian organisations.

Sinclair said the most of the companies stopped infection at the gateway; what makes Bagle more effective is the use of password-protected zip files.

"But the latest variants of Bagle (af, ag, ah) actually adds information to systems that prevent Netsky from propogating - it attempts to delete registry keys that Netsky uses to disable it and also drops files into the system to make it think the Bagle-infected machine is already running Netsky so it doesn't download another copy," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GatewayHISMcAfee AustraliaTrend Micro Australia

Show Comments