The IT industry's war against virus writers has seen battles won on both sides this year.

Sven Jaschan, the 18-year-old German responsible for spreading 70 per cent of viruses in the first six months of 2004, faces a maximum of five years imprisonment after being charged earlier this month.

But his Netsky and Sasser computer worms have, so far, caused an estimated $6.25bn in damage, according to analyst Computer Economics, infecting hundreds of organisations worldwide, including the UK Coastguard, Heathrow Airport and the European Commission.

Most IT directors rely on anti-virus tools as a standard part of their defences. But how do those anti-virus writers ensure they can keep up with the seemingly relentless onslaught?

A team of 11 'virus crackers' at Finnish security specialist F-Secure were the first to warn the world about the Sasser outbreak in May.

Mikko Hypponen, F-Secure's director of anti-virus research, showed Computing around his labs last week to explain how they work.

'When I joined, 13 years ago, there were only 300 viruses and I don't think any one realised how bad it was going to get,' says Hypponen.

'And this year is probably going to be even worse than last year.'

Predictions that major virus attacks will cost businesses and consumers across the world $16.7bn this year back up his opinion.

'That's why the single fastest metric for any anti-virus firm is how fast you can protect customers by reacting to the virus,' he says.

One of first computers to become infected with the Sasser virus was one of F-Secure's so-called 'honeypot' PCs - a Windows computer with no firewall or anti-virus products, so new outbreaks show up as soon as they emerge.

'We have honeypots all over the world to detect viruses in the wild,' says Hypponen.

Other virus samples are received from different sources, including customers, other internet users and sometimes even the virus writers themselves.

'It could be that they have spent months writing it, but don't want to go to jail, so they show it off by sending it to the anti-virus firms,' he says.

'But we still decipher it and produce a patch as there's no guarantees they won't release it in the wild.'

F-Secure also receives and shares information with its competitors, with several of its anti-virus research team being members of the Computer Anti-Virus Researchers Organisation, a highly regarded group of virus breakers.

Once anti-virus firms find a new outbreak they go through a series of processes to identify its characteristics and how it propagates over the internet.

'You can either make a virtual PC environment on a server and infect it to see what the effects will be or you can take real machines and build a network out of them,' says Hypponen.

'But more and more we are seeing viruses that detect whether they are under regulation and act differently. So the other way, instead of running the virus, is to look at the code.'

With the Sasser worm, 'reverse engineering' was used to carefully dismantle and inspect the virus to discover its engineering and design features.

By analysing the code, Hypponen and his team were able to identify the key characteristics of Sasser, and discover how it copies itself in the Windows directory before scanning to find other vulnerable systems on random IP addresses - often crashing PCs in the process.

'Once a server has been infected it starts to send random packets to places all over the network and internet,' he says.

'Eventually it will scan every single address in the world that is on the internet and find every thing that it can infect.'

Once a virus has been cracked, the company creates a 'virus signature' and notifies customers that a patch is available for download.

'Sometimes viruses can take hours to decrypt, but once we know what it is we also alert the authorities and work with the ISP and web sites that might have been targeted to try and stop it from spreading,' says Hypponen.

Viruses were originally designed to damage systems, but today many have a more commercial objective - helping to spread spam, solicit online bank account details and deliver denial of service attacks, he says.

In January 2004, Mydoom.A, the largest email worm ever, was launched.

While experts focused on how the worm launched denial of service attacks against SCO and Microsoft's web sites, most were unaware that a spam proxy had been installed onto millions of infected computers, which then started sending advertising to all the email addresses it could find.

'People have got wise to direct spam, with individuals blocking addresses and ISPs shutting them down,' says Hypponen.

'Spam through proxy means it can be sent from what people think is a trusted address and much faster.'

There has been an increase in virus writing, but work by groups such as the National Hi-Tech Crime Unit and Microsoft's $250,000 virus writer bounty, also means 2004 has been the best year for catching the culprits, says Hypponen.

'We have seen the arrests of Netsky and Sasser creator Sven Jaschan and Blaster writer Jeffrey Lee Parson,' he says.

But with the growing popularity of new technologies, such as smartphones, anti-virus firms are spreading their net wider to focus on mobile viruses.

'Laptops with and without wireless access, handheld devices with open operating systems and mobile phones are all devices that need to be protected,' says Hypponen.

In June 2004, the first mobile virus 'Cabir' was found which spreads using Bluetooth.

'It was something that we weren't expecting,' says Hypponen. 'We were looking for mass mailer text messages or viruses that destroyed business cards, but not a Bluetooth virus.'

'This changes things as it spreads like the flu and could infect everything around it.'

Other viruses such as Duts have been written to infect PocketPC mobile devices and this month Brador, a backdoor flaw, was found, which gives cybercriminals full, invisible access to smartphones, meaning they can surf the internet or make calls.

And it is only a matter of time before premium rate text messaging and dialer viruses become common place, says Hypponen.

But through greater co-operation between mobile developers and the anti-virus industry, Hypponen hopes to kill mobile infections in their infancy.

'If you think about the PC virus problem that started 18 years ago, if we did the right things in 1986 we probably wouldn't have the 100,000 viruses that we have today,' he says.

'So if we start now with mobile phones then hopefully we wont have the same problems.'

The Financial Impact of Virus Attacks

Major virus attacks, such as Sasser, MyDoom and Bagel, will cost individual and corporate PC users $16.7bn worldwide this year, according to analyst Computer Economics. The most expensive virus of all time - so far - was the LoveBug in 2000, costing an estimated $8.75bn.

The most costly viruses over the past three years were:

2004:

Sasser - $3.5bn

NetSky - $2.75bn

Bagel - $750m

MyDoom - $4.5bn

2003:

SoBig - $2.75bn

Nachi - $500m

Blaster - $1.5bn

Slammer - $2bn

2002:

Badtrands - $400m

BugBear - $500m

Klez - $1.5bn