Reheated Bagle comes with side of source code
Use of assembly language indicates worm's author is no novice, but it won't take an expert programmer to breed new variants.
The Bagle worm first appeared in January as an e-mail attachment. Within months, there were more than 25 variants.
Infected PCs download a Trojan that effectively enlists that computer into the worm author's army of zombie PCs, which can be used to distribute spam and other malware and to launch distributed denial-of-service attacks.
This weekend saw not only two new versions of the Bagle worm released, but also what appears to be the worm's original source code.
Mikko Hypponen, director of antivirus research at F-Secure, said he believes the source code is genuine. He added that it is written in pure assembly language, also known as assembler, which indicates the author responsible is a serious programmer and not a script kiddie.
"Most e-mail worms are written in C, or partly in C and partly in assembler. There are not that many people that are this good in assembler any more, so it is a serious programmer behind it," said Hypponen.
Hypponen said that although the assembly language is difficult to master, it will not take an expert to modify the code and create new Bagle variants, so Windows administrators should expect a busy summer.
"It is trivial to modify things (such as) which port the back door is using or what kind of e-mails it sends. I am sure this will result in a new outbreak of Bagle variants--like we saw in February and March," Hypponen said.
Richard Starnes, vice president of security industry group ISSA UK, said the source code is "dangerous" but noted that it could hold clues that will help law enforcement agencies track down the author.
Starnes said that because the source code contains the author's comments--generally designed to help other people understand what different sections of the code are doing--it could narrow the list of suspects.
"If you give 10 people a specification for a program, you are going to get 10 different programs. There will be similarities, but they will have different methods of operation--such as how they name variables, how they code, how they comment on the code. It is not unlike a fingerprint," Starnes said.
However, another reason for releasing the source code could be that the author trying to reduce the burden of evidence against him.
Hypponen said another theory is that the author is spreading the source code to as many PCs as possible so that if he is arrested, he won't be the only person to have that code on his computer.
The decision to distribute the source code could have been triggered by an announcement on Friday that the British, U.S. and Australian governments have agreed to work together in the fight against spam distribution.
In January, the source code of MyDoom started spreading a few days after Microsoft and the SCO Group put up a combined $500,000 reward for the capture of the virus' author.
"This might be a similar tactic. On Friday, the perfect evidence against the author of Bagle was that his computer contained the original source code. Today, that is no longer the case," said Hypponen.
Munir Kotadia of ZDNet UK reported from London.