It's not difficult to write a malicious program that can steal data as the user it runs. In fact, it's trivially easy, and your homebrew program will almost certainly avoid every antivirus signature with the minimum of tweaking and testing.
Exploiting holes is harder, but there's always a PoC code somewhere if you dig enough, especially if you are subscribed to security lists. And there you might have to do a little tweaking/testing but with VM's and debugging toolkits, it's not hard for any proficient programmer.
Quite what the news is here, I don't know. Almost every virus in existence has "variants" that aren't made by the same author - people take and either hexedit or have access to enough source-code to outright clone a virus. It's all out there if you look hard enough.
But, honestly, if you want to write one, a teenager could do it. Whether it "goes viral" is more to do with how easily it spreads and how many people you can get to run it before it gets noticed. I work in schools, and "viruses" written by the bright kids can spread through the school in a matter of days.
Given that, the number of viruses used with actual malicious intent is extremely low.
Go ahead - write a program with viral attributes and compile it with a random compiler. Guarantee you you could infect your workplace, not show up on an anti-virus signature, and do much nastier things than steal some data that passes through memory in plaintext.
Which is why we should be running a permissions-based security, or at worst a signature whitelist and NOT a signature blacklist like AV operates on. The very existence of AV still makes me laugh at humanity.