Security threats Toolkit

BitDefender sees Al-Qaeda link in new Atak worm

Munir Kotadia ZDNet.co.uk

Published: 16 Jul 2004 12:30 BST

A second variant of the Atak worm, which goes to sleep to avoid detection by antivirus software, has been linked to an Al-Qaeda sympathiser who once threatened to release a powerful worm if the US attacked Iraq.

Romanian antivirus firm Bitdefender claims the worm's author has signed his nickname into an encrypted part of the worm's code.

Mihai Radu, communications manager at BitDefender, told ZDNet UK that the virus, discovered on Friday, is signed by Melhacker, which is the moniker of a Malaysian-based coder called Vladimor Chamlkovic, who in 2002 threatened to release an "uber-worm" if the US attacked Iraq.

Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, said it is possible that Melhacker wrote Atak.B but that doesn't mean it has anything to do with Al-Qaeda.

"I think there's no proof anywhere that Melhacker is in any way associated with Al-Qaeda. He might want to be, though," said Hyppönen.

According to Radu, Atak.B is a mass-mailing worm that tries to turn off the most popular antivirus and firewall applications and then open a backdoor to give control of the system to the author. Like its predecessor, the worm attempts to avoid being detected by antivirus researchers by going to sleep when scanned.

Hyppönen said Melhacker has released several viruses, including Nedal (Laden backwards) and Blebla. In a 2002 interview with US-based Computerworld Magazine, Melhacker said he had combined the worst of the Nimda, Klez and SirCam viruses to create a super worm called Scezda. At the time, he said the worm was written and ready to be released, but so far it has not materialised.