Computer World on Tuesday, August 19, 2003
Microsoft Corp. Windows users whose systems were infected last week by the W32.Blaster worm might appreciate the attention of a new version of that worm that cleans corrupted systems and then installs a software patch to prevent future infections. The worm, variously referred to as Worm_MSBLAST.D and Nachi, appeared today and spreads by exploiting the same Windows security hole as the original Blaster worm, according to advisories published by leading antivirus companies. Antivirus companies disagreed on whether the new worm was a version of the original Blaster or a new worm type. Some, like Trend Micro Inc., consider it a Blaster variant, naming it Worm_MSBLAST.D. Others, declaring the worm a new type, named it W32.Nachi-A.
One thing is certain: Unlike the original Blaster worm, Blaster-D/Nachi is more concerned with fixing systems than exploiting their weaknesses.
After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.
The new worm hides behind a different file name from the Blaster worm, Dllhost.exe, which allows it to bypass antivirus software configured to detect and stop Blaster, according to Ian Hameroff, security strategist at Computer Associates International Inc.
While they disagree about the new worm’s name, antivirus companies spoke as one in telling users to remove Blaster-D/Nachi.
“Anything that does something without the end user’s approval or even knowledge is not good,” Hameroff said. “It’s like having a seasoned criminal break into your house and then, if he succeeds, install an alarm system.”
Blaster-D/Nachi doesn’t distinguish between infected and healthy systems, either. Instead, the worm spreads like Blaster by identifying unpatched Windows 2000 and XP systems, then infecting them, according to Hameroff.
Traffic from infected systems can also clog up computer networks and create denial-of-service problems on computer networks if many infected computers attempt to download the Microsoft Windows patch at the same time, according to David Perry, global director of education at Trend Micro Inc., which has North American headquarters in Cupertino, Calif.
However, for patched systems and machines that were not infected by Blaster, Blaster-D/Nachi is programmed to remove itself after a set amount of time passes, Hameroff said. CA is still analyzing the new worm and could not provide details or say how long Nachi will stay on systems before removing itself, he said.
There is no evidence that the worm installs Trojan horse programs or other kinds of snooping “spyware” on infected systems, Perry said.
Islandia, N.Y.-based Computer Associates rated Blaster-D/Nachi a “medium” threat, indicating only a few reports from CA’s customers.
However, Trend Micro said the new worm is spreading rapidly in China and South Korea, prompting that company to issue a “red alert” to its customers in Asia, Perry said.
While the worm may ultimately benefit the Internet community by patching some of the loosely managed computer systems that are breeding grounds for viruses, organizations and individuals should not rely on Blaster-D/Nachi to take care of their patching problem, security experts agreed.
Do-gooder worms are no substitute for timely and responsible patching by systems administrators, experts said.
“It’s not the same as having the end user apply the appropriate patches as they’re going along,” Hameroff said. “This [worm] isn’t the ointment you apply to rid yourself of your wounds.”