Worm writer turns worm catcher - with little success

The author of a worm which caused widespread disruption to PCs and networks has attempted to repair the damage by creating software to remove it. However, security experts say the removal software is considerably less effective than the original worm.

Police arrested Li Jun, author of the Panda worm last month (the malicious software is also known under the names Fujacks and Worm.Whboy). They ordered him to write the removal tool (shown in this screenshot), saying it could win him more lenient treatment when he went on trial, according to Chinese press reports.

The worm caused considerable disruption to PCs and networks in China. Reports of the number of PCs affected varied from 'hundreds of thousands' to millions. Li was paid at least $20,000 to create the worm, which was designed to steal valuable online gaming account and instant messenger passwords.

The online gaming accounts gave access to game items and characters which could be sold for cash. The accounts themselves were sold to 'gold farmers', who used them to generate more income.

Li's business partners also made money, according to security firm Symantec. One was able to buy a new Jeep with the income, and commented that “this is a better money making industry than real estate,” according to local media.

Following his arrest, authorities ordered Li to write the removal tool. However, his worm-writing skills appear to be considerably more advanced than his worm-catching skills, according to Symantec. Security researcher Hon Lau of Symantec found that the tool failed to remove older versions of the worm, and was only partially effective against newer versions.

Li's malware-creating skills have also been called into question. China's latest password stealing viral threat, the Gray Pigeon virus, is said to be ten times worse than his Panda worm, according to online news sources (link in Chinese). Gray Pigeon incorporates a remote control client which can give an attacker full control of the victim's PC

The Panda removal tool also includes a lengthy letter of apology from Li - visible in the screenshot above. He and his partners now face fines and jail terms of at least four years, according to local media.

Profit-driven virulence

"From a technical point of view, W32.Fujacks and its variants are not very complicated. There is no cutting edge technique used. The question is 'What on earth can make it so successful?'", asks Symantec researcher Robert X Wang.

"Unlike most other common viruses,W32.Fujacks and its variants were updated with an astonishing frequency," Wang explains, "Within 3 months, dozens of variants have been found. These variants are not only repacked with a new harder to detect packer – obviously, Mr Li and his friends are driven by profit – they also attempt to add more and more functions to make it spread widely and steal more valuable assets. These frequent updates cause considerable trouble for the scanning and repairing of computers infected by the W32.Fujacks family."

The worm takes advantage of a vulnerability in Microsoft's MDAC (Microsoft Data Access Components) to inject an executable program or malicious javascript into an unprecedented laundry list of file types including .exe, .pif, .com, .scr, .asp, .aspx, .htm, .html, .jsp, and .php files. Vulnerable PCs can affected by simply viewing a web page where one of these files is stored, or by receiving an infected email or clicking on an instant message download link.

While Microsoft issued a patch for this vulnerability last year, many PC owners have apparently not applied it.