Viral turf war
I remember very well the competing worms that came out in early 2004, Netsky and Bagel (Beagle) and to a degree Mydoom as well. One would try to uninstall the other as they fought for control of a pc. They were done by competing gangs and were literally waging a turf war with home (and business computers.) The same seems to be happening with the latest round of plug ‘n play (worms) viruses (bots).
According to the Security Fix, F-secure has details on the different “families” of worms and bots fighting for control of vulnerable pcs. They detail three Zotob variants, one Rbot, one sdbots (sic), three IRC bots and two variations of bozori.
They go on to say…
RCBot.EU variant deletes Zotob.A and B, the Bots that are using the Plug-and-Play vulnerability and some adware.
Bozori.B variant is trying to remove Zotob.A and.B as well as some of the Bots that are using the same vulnerability.
So what is the goal? Bot networks are sold in some of the seedier spots online for dollars per thousand machines. Essentially the “buyer” gets to control the network to relay junk mail or who knows what other purposes (store illicit content for various websites?) Also, when you have that large a number of machines a distributed Denial of Service attack is do-able. So, one group might dDoS the other groups website, or the website of a group they don’t like.
It is VITAL that if you have a machine that has not been patched *(or even those that have), please do yourself (and EVERYONE) a favor by making sure you have current antivirus and run a scan using recent (today’s) definitions. Otherwise you might not be the person that “owns” your machine. The recent bots heavily affected Windows 2000 primarily. They do not seem to affect, but can run on, other variations of Windows (2003, XP, even NT, 98, 95 and ME can run the code).
Even if you’re on an unaffected platform (by this worm) this might be good motivation to see if you’re one of the folks that still has a version of netsky or mydoom on their PC.