Reheated Bagle comes with side of source code

Use of assembly language indicates worm's author is no novice, but it won't take an expert programmer to breed new variants.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Munir Kotadia
Special to CNET

The author of mass-mailing worm Bagle began distributing its source code and two new variants on Sunday, which could trigger another summer of misery for Windows users.

The in January as an e-mail attachment. Within months, there were more than 25 variants.

Infected PCs download a Trojan that effectively enlists that computer into the worm author's army of zombie PCs, which can be used to and other malware and to launch distributed denial-of-service attacks.

This weekend saw not only two new versions of the Bagle worm released, but also what appears to be the worm's original source code.

Mikko Hypponen, director of antivirus research at F-Secure, said he believes the source code is genuine. He added that it is written in pure assembly language, also known as assembler, which indicates the responsible is a serious programmer and not a script kiddie.

"Most e-mail worms are written in C, or partly in C and partly in assembler. There are not that many people that are this good in assembler any more, so it is a serious programmer behind it," said Hypponen.

More IT news stories
Professor gives Cisco manual away for free
Veritas to miss earnings mark
Group seeks to overturn 10 patents
Music downloaders hit by acronym cacophony

Hypponen said that although the assembly language is difficult to master, it will not take an expert to modify the code and create new Bagle variants, so Windows administrators should expect a busy summer.

"It is trivial to modify things (such as) which port the back door is using or what kind of e-mails it sends. I am sure this will result in a new outbreak of Bagle variants—like we saw in February and March," Hypponen said.

Richard Starnes, vice president of security industry group ISSA UK, said the source code is "dangerous" but noted that it could hold clues that will help law enforcement agencies track down the author.

Starnes said that because the source code contains the —generally designed to help other people understand what different sections of the code are doing—it could narrow the list of suspects.

"If you give 10 people a specification for a program, you are going to get 10 different programs. There will be similarities, but they will have different methods of operation—such as how they name variables, how they code, how they comment on the code. It is not unlike a fingerprint," Starnes said.

However, another reason for releasing the source code could be that the author trying to reduce the burden of evidence against him.

Hypponen said another theory is that the author is spreading the source code to as many PCs as possible so that if he is arrested, he won't be the only person to have that code on his computer.

The decision to distribute the source code could have been triggered by an announcement on Friday that the British, U.S. and Australian governments have agreed to work together in the fight against spam distribution.

In January, the source code of MyDoom started spreading a few days after Microsoft and the SCO Group put up a combined $500,000 of the virus' author.

"This might be a similar tactic. On Friday, the perfect evidence against the author of Bagle was that his computer contained the original source code. Today, that is no longer the case," said Hypponen.

Munir Kotadia of reported from London.

Editor's Picks

Free Newsletters, In your Inbox