The name "andy" left in the code by the author of the MyDoom virus links the original program released a week ago with the B variant sent out two days later, Jimmy Kuo, McAfee fellow for security company Network Associates, said on Monday.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Other hints, including numbers that appear to designate the version of the program, indicate that the fast-spreading virus was created by a professional programmer.
"It looks like what someone would write when they check in source code," said Kuo, who has been researching the virus. "The interpretation is that 'andy' is the person checking the code in."
In addition, the author left a message in the second version of the virus for those with PCs infected with the program: "I'm just doing my job, nothing personal, sorry."
The MyDoom virus, also referred to as a worm, started spreading last Monday and has swamped corporate systems worldwide with a large number of e-mail messages that appear to be errors returned from a mail server.
The virus-laden e-mails have an attachment that, when opened, installs a program on the victim's computer, in order to open up a software "back door." The attacker can then bypass the PC's security and turn the affected system into a "bounce point" for any network-based attack.
The first MyDoom is programmed so that infected computers will send data to the main Web server of the. The second version of MyDoom is set to strike Microsoft's main Web site between Feb. 3 and March 1, in addition to hitting SCO. (The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.)
While some researchers believe the MyDoom code may have originated in Russia, it's almost impossible to pin down Patient Zero--the first infected computer--or the person actually released the virus, Kuo said.
Further analysis indicates that there may be some good news for Microsoft, Kuo said. A programming error in the virus may mean that, starting Tuesday, only 7 percent of PC infected with the B variant will actually attack Microsoft at the same time.
"We think that...7 percent won't be that large a number," Kuo said.