Windows users infected last week by the W32.Blaster worm
might appreciate the attention of a new version of that worm that
cleans corrupted systems, then installs a software patch to prevent
future infections.
The worm, variously referred to as Worm_MSBLAST.D and Nachi,
appeared yesterday and spreads by exploiting the same Windows
security hole as the original Blaster worm, according to advisories
published by leading antivirus companies.
Antivirus companies disagreed on whether the new worm was a
version of the original Blaster or a new worm type. Some, like
Trend Micro, consider it a Blaster variant, naming it
Worm_MSBLAST.D and others declaring the worm a new type, named
W32.Nachi-A.
One thing is certain: unlike the original Blaster worm,
Blaster-D/Nachi is more concerned with fixing systems than
exploiting their weaknesses.
After infecting vulnerable Windows 2000 or Window XP machines,
the new worm searches for and removes the Blaster worm file,
Msblast.exe, and attempts to download and install a Windows
software patch from Microsoft that closes the security hole used by
the worm, according to antivirus companies.
The new worm hides behind a different file name from the Blaster
worm, Dllhost.exe, which allows it to bypass antivirus software
configured to detect and stop Blaster, according to Ian Hameroff,
security strategist at Computer Associates.
While they disagree about the new worm's name, antivirus
companies spoke as one in telling users to remove
Blaster-D/Nachi.
"Anything that does something without the end-user's approval or
even knowledge is not good," Hameroff said. "It's like having a
seasoned criminal break into your house and then, if he succeeds,
install an alarm system."
Blaster-D/Nachi does not distinguish between infected and
healthy systems, either. Instead, the worm spreads like Blaster by
identifying unpatched Windows 2000 and XP systems, then infecting
them, according to Hameroff.
Traffic from infected systems can also clog up computer networks
and create "denial of service" problems on computer networks if
many infected computers attempt to download the Microsoft Windows
patch at the same time, according to David Perry, global director
of education at Trend Micro.
However, for patched systems and machines that were not infected
by Blaster, Blaster-D/Nachi is programmed to remove itself after a
set amount of time passes, Hameroff said.
CA is still analysing the new worm and could not provide details
or say how long Nachi will stay on systems before removing itself,
he said.
There is no evidence that the worm installs Trojan horse
programs or other kinds of snooping "spyware" on infected systems,
Perry said.
Computer Associates rated Blaster-D/Nachi a "medium" threat,
indicating only a few reports from CA's customers. However, Trend
Micro said the new worm is a spreading rapidly in China and South
Korea, prompting a "red alert" from that company to its customers
in Asia, Perry said.
While the worm may ultimately benefit the internet community by
patching some of the loosely managed computer systems that are
breeding grounds for viruses, organisations and individuals should
not rely on Blaster-D/Nachi to take care of their patching problem,
security experts agreed.
Do-gooder worms are no substitute for timely and responsible
patching by system administrators, experts said.
"It's not the same as having the end-user apply the appropriate
patches as they're going along," Hameroff said. "This (worm) isn't
the ointment you apply to rid yourself of your wounds."
Paul Roberts writes for IDG News Service