Another purported do-good virus called "CodeGreen" has been launched on the Internet, scanning systems for Code Red II infections and applying a patch as it spreads. But security officials say the worm cannot be trusted. Security experts, who almost unanimously dismiss the idea of fighting a virus with a virus, say the concept is interesting and may hold promise on a tightly-controlled computer network but is nothing but trouble "in the wild" on the Internet.

"The danger of using a worm or virus is that there's no way to recall the thing if it started doing something bad," Symantec Anti-virus Research Center (SARC) director Vincent Weafer told NewsFactor Network. "There are just too many variables to take into account.

CodeGreen Hits Red Light
Weafer said CodeGreen, reportedly written by a German author known as "Der HexXer," scans the Internet for Microsoft IIS servers infected by Code Red II and runs through a series of steps before downloading security patches. But there is some concern over whether it is the right patch and about the installation method.

After applying its patch, the worm starts off several threads in order to propagate, according to Weafer, who said the worm's spread is limited to German operating systems.

"It is getting out [and] modifying machines," Weafer told NewsFactor.

Net Effects
Still, experts say, the uncertainty of the Internet at large makes a benign virus unlikely.

"It's an interesting idea, but you can have a lot go wrong," eEye Security official Marc Maiffret told NewsFactor. "You can be the one crashing servers, putting up faulty patches and installing them improperly."

Maiffret, whose firm is credited with discovery of the Code Red virus, said the idea of a virus-fighting virus was discussed when the worm was first discovered. However, he explained, security firms would not and could not release a virus to fight a virus because "it's completely illegal."

"It's breaking into servers," he said, adding that it's nearly impossible to test a do-good virus.

"As much as it's supposed to be static, the Internet is its own life form," Maiffret said. "It's not something that you can test very easily."

Practical Application
While he agreed that the unpredictability of both viruses and the Internet make anti-virus worms unlikely, Weafer said that virus-like code could be used on a corporate or other network that can be controlled. He added that Symantec has launched such patch mechanisms "in the corporate space."

"That's very different from a worm that looks for infected systems on the Internet," Weafer said.

Weafer added that commercial scanning mechanisms that alert users to infection are more comprehensive and robust than a virus, which could cause a system to crash or slow down a network.

Code Too Tight
Maiffret downplayed the significance of CodeGreen, saying it would "not necessarily do any good and not necessarily do any bad." He told NewsFactor that an effective virus-fighting virus is "doable."

"But nobody has the right to launch anything like that," he said.

Maiffret also said that if the code were written so well and "so tight," it could spread too successfully and slow down a computer network.

Network Associates director of anti-virus research Vincent Gulotto told NewsFactor that the security industry has discussed the idea and there is agreement that a "good virus" is a bad idea.

"Unless you're going to take that virus and walk it from machine to machine -- just letting it loose on a network is not a good idea," Gulotto said.

"That's dangerous."

By Jay Lyman, NewsFactor Network