New variant of Blaster worm "fixes" infected systems

Windows users infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans...

Windows users infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans corrupted systems, then installs a software patch to prevent future infections.

The worm, variously referred to as Worm_MSBLAST.D and Nachi, appeared yesterday and spreads by exploiting the same Windows security hole as the original Blaster worm, according to advisories published by leading antivirus companies.

Antivirus companies disagreed on whether the new worm was a version of the original Blaster or a new worm type. Some, like Trend Micro, consider it a Blaster variant, naming it Worm_MSBLAST.D and others declaring the worm a new type, named W32.Nachi-A.

One thing is certain: unlike the original Blaster worm, Blaster-D/Nachi is more concerned with fixing systems than exploiting their weaknesses.

After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.

The new worm hides behind a different file name from the Blaster worm, Dllhost.exe, which allows it to bypass antivirus software configured to detect and stop Blaster, according to Ian Hameroff, security strategist at Computer Associates.

While they disagree about the new worm's name, antivirus companies spoke as one in telling users to remove Blaster-D/Nachi.

"Anything that does something without the end-user's approval or even knowledge is not good," Hameroff said. "It's like having a seasoned criminal break into your house and then, if he succeeds, install an alarm system."

Blaster-D/Nachi does not distinguish between infected and healthy systems, either. Instead, the worm spreads like Blaster by identifying unpatched Windows 2000 and XP systems, then infecting them, according to Hameroff.

Traffic from infected systems can also clog up computer networks and create "denial of service" problems on computer networks if many infected computers attempt to download the Microsoft Windows patch at the same time, according to David Perry, global director of education at Trend Micro.

However, for patched systems and machines that were not infected by Blaster, Blaster-D/Nachi is programmed to remove itself after a set amount of time passes, Hameroff said.

CA is still analysing the new worm and could not provide details or say how long Nachi will stay on systems before removing itself, he said.

There is no evidence that the worm installs Trojan horse programs or other kinds of snooping "spyware" on infected systems, Perry said.

Computer Associates rated Blaster-D/Nachi a "medium" threat, indicating only a few reports from CA's customers. However, Trend Micro said the new worm is a spreading rapidly in China and South Korea, prompting a "red alert" from that company to its customers in Asia,  Perry said.

While the worm may ultimately benefit the internet community by patching some of the loosely managed computer systems that are breeding grounds for viruses, organisations and individuals should not rely on Blaster-D/Nachi to take care of their patching problem, security experts agreed.

Do-gooder worms are no substitute for timely and responsible patching by system administrators, experts said.

"It's not the same as having the end-user apply the appropriate patches as they're going along," Hameroff said. "This (worm) isn't the ointment you apply to rid yourself of your wounds."

Paul Roberts writes for IDG News Service

Read more on IT strategy