Despite the arrest last week of an 18-year-old in Germany accused of creating the Sasser worm, another variant rolled onto the internet a few hours after he was detained.
Security experts are undecided whether the new variant, dubbed Sasser.e, indicated that the arrested teen was actually working alone -- the 'lone coder' theory put forward by, among others, Microsoft -- or was part of a group. If it's the latter, additional versions could be forthcoming.
According to wire service reports, however, German police claim that Sasser.e is the work of Sven Jaschan, the man arrested last week. Frank Federau, a spokesman for the state criminal office in Hanover, said the suspect likely created it 'immediately before his discovery'.
The confusion may lie in timing: Sasser.e was first noticed nearly four hours after Jaschan's arrest. But that may only mean anti-virus firms didn't spot it immediately.
'However, since Sasser.e spreads really fast, there must be even earlier spottings,' said the Finnish security firm F-Secure in an alert posted to its website Sunday [US].
Other analysts took a different tack, and believed that the debut of Sasser.e meant Jaschan was not acting alone.
'This confirms our fears that [Jaschan] is not the only person programming the Sasser and Netsky worms, but rather it is an organised group of delinquents,' said Luis Corrons, the head of Panda Software's virus lab, in a statement.
'This seems to indicate that there is a kind of cyberwar being waged among the creators of the Bagle, MyDoom, Netsky, and Sasser worms, and it will continue to cause many more variants of the virus.'
Sasser.e -- which exploits the same vulnerability in Windows as the previous four variations -- attempts to delete several competing worms from infected systems, including Bagle.x and Bagle.w.
That trait, however, doesn't bolster one of the theories over the other, since Jaschan is also alleged to have authored all the Netsky worms, which traditionally took shots at Bagle's creators by including embedded trash talk in the code or tying to erase Bagle from compromised machines.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
