Security threats Toolkit

Korean worm turns out to be Baba variant

Dan Ilet ZDNet.co.uk

Published: 22 Oct 2004 17:15 BST

Antivirus companies have mislabelled a worm they thought belonged to the Netsky virus family, a security expert has said.

Senior technical consultant at Sophos Graham Cluley said that antivirus firms should have labelled the virus as a 'W32/Baba' worm. But, he added, after F-Secure categorised the worm as a Netsky variant, many of other antivirus companies followed their lead.

"The guys in the labs have looked more closely at this and said that this isn't Netsky," Cluley said. "Kaspersky has also found the same thing. It's actually called Baba. As far as we can see, it bears no relation to Netsky."

F-Secure swiftly made a turnaround on its decision and re-labelled the worm as Baba.

"I think [Cluley] is right," said F-Secure's director of antivirus research Mikko Hyppönen. "It is complex because there are several families. It's becoming a bit academic. Later on we saw that it was something else. But the bottom line is that it's a mass-mailer."

Cluley said that even though the virus was a Baba variant, it looked as if it was still connected to a South Korean university.

At the time of writing, Symantec still had the virus labelled as Netsky.

Reports stated that the original Netsky author Sven Jaschan was responsible for more than 70 percent of virus infections earlier this year. Jaschan, who was arrested in May, was recently offered a job by German firewall company Securepoint.