Following a week where hundreds of thousands of computers worldwide were affected by the Blaster worm, Sophos, a global leader in anti-virus protection for businesses, is warning against the new Nachi worm (W32/Nachia-A, also known as Welchia or Welchi). In a bizarre twist, the Nachi worm attempts to remove the Blaster worm as well as patch vulnerable Microsoft computers against a critical security hole to prevent reinfection.
Taking advantage of the same critical security hole in Microsoft Windows which was exploited by the Blaster worm, Nachi searches for unpatched computers. Once located, it infects the computer without asking the user's permission and hunts for traces of the Blaster worm. If Blaster is found, the Nachi worm attempts to remove the infection and download patches to fix the Microsoft vulnerability.
"The writer of the Nachi worm may want to be seen as the Dirty Harry of the internet world, cleaning up malicious Blaster code wherever it is found," said Graham Cluley, senior technology consultant at Sophos. "But no virus is a good virus. Infecting systems in order to disinfect and patch computers isn't a responsible way to deal with the problem as the worm could easily get out of control or cause unexpected conflicts. It is vital that computer users patch the holes in Microsoft software and ensure their anti-virus has the latest protection."
The author of Nachi suggests that he is a family man - contained inside the worm's code is the text "I love my wife & baby :)".
The Microsoft security patch to protect against the vulnerability exploited by the Nachi and Blaster worms can be downloaded from www.microsoft.com/technet/security/bulletin/MS03-026.asp
Home users of Microsoft Windows can visit http://windowsupdate.microsoft.com and get their system scanned for Microsoft security vulnerabilities.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.