Sophos virus experts have warned computer users of a new variant
of the Nachi worm (W32/Nachi-B) that attempts
to remove infections of W32/MyDoom-A and W32/MyDoom-B, and
download Microsoft security patches to unprotected computers.
Taking advantage of the same critical security hole in Microsoft
Windows which was exploited by the Blaster worm, Nachi searches
for unpatched computers. Once located, it infects the computer
without asking the user's permission and hunts for traces of the
MyDoom worms. If a MyDoom infection is found, the Nachi-B worm
attempts to remove it and download patches to fix the Microsoft
"This worm's author may think he is a modern-day Robin Hood, but
there is no such thing as a good virus," said Graham Cluley, senior
technology consultant at Sophos. "Nachi-B infects innocent
computers without permission, steals network bandwidth, CPU time
and hard disk space, and makes changes to the computer's setup and
data. A worm can easily get out of control and cause unexpected
conflicts. It is vital that computer users patch the holes in
Microsoft software and ensure their anti-virus is fully
Curiously, the Nachi-B worm attempts to overwrite some files
with an HTML file containing references to the dropping of atomic
bombs on Japan in World War II:
LET HISTORY TELL FUTURE !
1937.12.13 300,000 !
1945.8.6 Little boy
Let history tell future !
The original Nachi worm (W32/Nachi-A), seen in
August 2003, attempted to remove infections from computers infected
by W32/Blaster-A. It was
subsequently blamed for causing considerable disruption to many
businesses around the world.
The Microsoft security patch to protect against the
vulnerability exploited by the Nachi and Blaster worms was released
last year, and can be downloaded from www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their
systems scanned for Microsoft security vulnerabilities.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.